[disclaimer]
READ FULLY! READ FULLY! READ FULLY!
This is another SQL injection tutorial, but this time, it's for MSSQL, or Microsoft SQL Server. This will work on vulnerable pages with the extension: .asp.
FOR PAGES WITH THE PHP EXTENSION, REFER HERE: MySQL Injection Tutorial
The first thing you'll need is a vulnerable website, and to find one, you'll need a dork. (Refer to other tutorial for more info on dorks).
Say I have found a site that I want to test for being vulnerable. Simply add an apostrophe to the integer.
That apostrophe should return an error. The error MUST include the words "Syntax error" in order to confirm the vulnerability. If the error is VBScript Runtime or something like that, it won't work.
Now, we want to extract the number of columns. Type this:
Unlike MySQL injection, we will using a hash mark as our comment instead of the two hyphens.
The order by 1# command should load the page normally. If not, move on to another site. Now try this:
That should return an error. Now change that to 10 until you produce an error. WHEN you get to that error, take the integer and subtract one. That's the amount of columns this database has. If the site produces an error when enter order by 10#, DECREASE the integer until you load the page normally, then DO NOT SUBTRACT ONE. That's how many columns your db has.
Say my db has NINE columns. Unfortunately, we have to guess the table names.
Type this:
You'll soon realize that the above command will not produce results without a table. Here are some common ones: admin, tbladmin, tbl_admin, user, users, login, info, email, etc.
SO the correct version would be this if the table name is admin:
This should show the page with a few numbers randomly scattered around.
Now we will get data. In this case, we will have to guess the name of the columns in order to produce the data. SO, take the number of your choice off the page, in my case I have TWO and SEVEN, I will choose TWO, go back to your URL and replace the number of your choice, for me it will be TWO with your column name guess. If the table name is tbl_admin, tbladmin, admin or anything that might include login info, try different column name like username, uname, UsrName, UserName, etc. Here's an example:
That gives me the db username. Do it again for the password.
And you should have your password as well.
Good luck and have fun!
CYBERTECHFORUMS.COM, THE ADMINISTRATORS, AND I AM NOT RESPONSIBLE FOR WHAT YOU DO WITH THIS INFORMATION. EDUCATIONAL USE ONLY.
READ FULLY! READ FULLY! READ FULLY!
This is another SQL injection tutorial, but this time, it's for MSSQL, or Microsoft SQL Server. This will work on vulnerable pages with the extension: .asp.
FOR PAGES WITH THE PHP EXTENSION, REFER HERE: MySQL Injection Tutorial
The first thing you'll need is a vulnerable website, and to find one, you'll need a dork. (Refer to other tutorial for more info on dorks).
Say I have found a site that I want to test for being vulnerable. Simply add an apostrophe to the integer.
Code:
site.com/product.asp?prodid=1'
That apostrophe should return an error. The error MUST include the words "Syntax error" in order to confirm the vulnerability. If the error is VBScript Runtime or something like that, it won't work.
Now, we want to extract the number of columns. Type this:
Code:
site.com/product.asp?prodid=1 order by 1#
Unlike MySQL injection, we will using a hash mark as our comment instead of the two hyphens.
The order by 1# command should load the page normally. If not, move on to another site. Now try this:
Code:
site.com/product.asp?prodid=1 order by 100000000#
That should return an error. Now change that to 10 until you produce an error. WHEN you get to that error, take the integer and subtract one. That's the amount of columns this database has. If the site produces an error when enter order by 10#, DECREASE the integer until you load the page normally, then DO NOT SUBTRACT ONE. That's how many columns your db has.
Say my db has NINE columns. Unfortunately, we have to guess the table names.
Type this:
Code:
site.com/product.asp?prodid=1 union select 1,2,3,4,5,6,7,8,9#
You'll soon realize that the above command will not produce results without a table. Here are some common ones: admin, tbladmin, tbl_admin, user, users, login, info, email, etc.
SO the correct version would be this if the table name is admin:
Code:
site.com/product.asp?prodid=1 union select 1,2,3,4,5,6,7,8,9 from admin#
This should show the page with a few numbers randomly scattered around.
Now we will get data. In this case, we will have to guess the name of the columns in order to produce the data. SO, take the number of your choice off the page, in my case I have TWO and SEVEN, I will choose TWO, go back to your URL and replace the number of your choice, for me it will be TWO with your column name guess. If the table name is tbl_admin, tbladmin, admin or anything that might include login info, try different column name like username, uname, UsrName, UserName, etc. Here's an example:
Code:
site.com/product.asp?prodid=1 union select 1,username,3,4,5,6,7,8,9 from admin#
That gives me the db username. Do it again for the password.
Code:
site.com/product.asp?prodid=1 union select 1,password,3,4,5,6,7,8,9 from admin#
And you should have your password as well.
Good luck and have fun!
CYBERTECHFORUMS.COM, THE ADMINISTRATORS, AND I AM NOT RESPONSIBLE FOR WHAT YOU DO WITH THIS INFORMATION. EDUCATIONAL USE ONLY.