3

I have a simple web application in asp with SQL Server back end database. The login page has an injection point and I am able to bypass the login by the usual ` ' OR 1=1 '. Now I was able to enumerate the columns in the database using GROUP BY and HAVING statements. I was able to enumerate the information in the error thrown at me.

` ' or '1' = '1' GROUP BY tblCustomers.cust_id, tblCustomers.cust_name, tblCustomers.cust_password, tblCustomers.cust_account  
HAVING 1=1 --  `

I am in the learning phase and I found out that the cust_id, cust_name, cust_password, cust_account are the columns and tblCustomers is the table name.

I am also able to use AND statements along with the convert function to enumerate some information. The command I used is ' or '1' = '1' and 1 =convert(int,@@version)--and again I am able to get the information in the errors.

Now, how can I dump the entries in the database to know at least the customer name and password? I tried stack queries separated by semicolon but after executing the first query i.e ' OR 1=1 I just log in and cant see any output as theirs no other parameter, I cannot output it anywhere else on the page( there is no parameters and theirs just a blank page after i login). UNION SELECT is not working as I am not able to guess the first SELECT statement and its exits. Any functions that can help me dump the customer names and password?

I'll really appreciate any help with this. Thanks.

5
  • Make the 1st query disallow login. i.e. instead of "or 1 = 1" write "and 1 < 1", then the next statement. If I understand correctly where can you inject, login will fail and you'll get your dump (hopefully, but depends on the portal you are fiddling with). EDIT: BTW why do you enter correct user/pwd combo if you want the query to fail? + you can kinda figure out the login query, it should be very simple (user name & password, perhaps?)
    – user2299169
    Jun 5, 2016 at 15:57
  • Thanks Mark. I tried your suggestion. ` and 1<1 ; SELECT * from tblCustomers ` this time the login fails and it takes me back to the login prompt again. Its just a learning web application so there is absolutely nothing more once one is able to login.
    – Tim
    Jun 5, 2016 at 16:08
  • I add this as an answer then, thanks if you accept ;)
    – user2299169
    Jun 5, 2016 at 17:31
  • try union select 1,1,1,1 (and again) to count the number of fields in select. Success is not guaranteed because the page may stop reading after 1st row. Jun 5, 2016 at 17:33
  • Hi Alex, The query you suggested gives me an error Syntax error converting the varchar value 'abraham' to a column of data type int I am expecting the first column cust_id to be of data type int. Also, I'd like to mention that the error page is a tradiational "page not displayed" and contains the information somewhere along with the POST request details
    – Tim
    Jun 5, 2016 at 22:34

1 Answer 1

0

Make the 1st query disallow login. i.e. instead of "or 1 = 1" write "and 1 < 1", then the next statement. If I understand correctly where can you inject, login will fail and you'll get your dump (hopefully, but depends on the portal you are fiddling with). EDIT: BTW why do you enter correct user/pwd combo if you want the query to fail? + you can kinda figure out the login query, it should be very simple (user name & password, perhaps?)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.