Dashboard Articles Playground Discussions More
Follow

MsSQL Database Structured Query Language Injection

Keeper
12 years ago

0

The SQL Injection on ASP is same as on PHP...but a little bit of changes are made... So first of all we will find some site that is vulnerable and is on .asp So assume that u got a site with the name of ```http://www.target.com/``` Now find page where the site is vulnerable to SQL Injection... You can check the vulnerability by adding single quotation ' at the end of URL like ```http://www.target.com/product.asp?id=13'``` If u get this error... ```Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''. /deptdet.asp, line 122``` Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using # ```http://www.target.com/product.asp?id=13 order by 1#``` Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations) You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns... So we will have an error on this query ```http://www.target.com/product.asp?id=13 order by 11#``` But when we will use this query, we will not get any error ```http://www.target.com/product.asp?id=13 order by 10#``` This tells us that the table has 10 columns Now we will write the query as... ```http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#``` So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column , So to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10 In this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like: ```http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#``` After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible... So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password , Now our URL will look like ```http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#``` Suppose we got a username instead of the number 3. and then change column name with passwords column name you will get the password ;) URL will be like ```http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#```

Hope you learnt something new! Thanks for reading and if you got any questions feel free to ask them in the thread.

0replies
1voice
152views
You must be logged in to reply to this discussion. Login
1 of 1

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss