0

I am back again with another question regarding dvwa, I've upgraded to MsSQL 2005 this time, and I have another set of questions. I don't understand a couple of things. I would like for some kind individual to make it clear to me.

So basically, as usual - my goal is to obtain all databases from the DVWA, as well as escalate to the admin panel using manual injection techniques.

What I have so far is the database, but I am getting a little confused with the change in syntax. I asked the server to get the databases, and it returned me with the first database. My query is as follows:

+
and+1=
    convert
    (
       int,db_name()
    )
--

My first question is - how can I edit this query so that I will be able to see all the databases, because from my knowledge, this query only drops the 1st database in the SQL data. Okay, my second question is, the first database that was dropped was "information", when I looked for the tables using this query:

+
and+1=
    convert
    ( 
       int,
       (
          select+top+1+table_name+from+information_schema.tables
       )
    )
--

It returned the first table of that database. Firstly, lets say I have more than the first database, how can I change this query to get the tables for whatever that database name would be. Secondly, the table it returned was tbl_info_id.

Take note, the server is running IIS 6.0, on coldfusion. As I am aware, to request the next table from that database I would have to create a query such as this one:

+
and+1=
    convert
    (
       int,
       (
          select+top+1+table_name+from+
              information_schema.tables+where+table_name+not+in('tbl_info_id')
       )
    )
--

How come when I write it, the server responds with: 

[SQLServer]Incorrect syntax near 'tbl_info_id'.

That's all, if anyone can explain all this to me, it would be greatly appreciated! Cheers.

Mr. Radical
  • 1,847
  • 1
  • 19
  • 29
user3267146
  • 317
  • 2
  • 10
  • 3
    I'm clearly missing something what language's syntax is `+and+1` (etc) part of? – Adam Cameron Feb 10 '14 at 09:27
  • 1
    @user3267146, bumping is ineffective on StackOverflow. Unlike other forums, commenting on your question or even editing it will not cause it to rise to the top of the display. – Dan Bracuk Feb 10 '14 at 12:59
  • 1
    Adam, they're trying to do SQL injection, so these are probably strings being added to a URL. – Peter Boughton Feb 10 '14 at 17:17
  • Hi @PeterBoughton. I saw the injection reference in the title, but I don't see how the question is a coherent one..? – Adam Cameron Feb 10 '14 at 21:45
  • \*shrug\* I can see what their two questions are, and I'm pretty sure I know what the issue is and how to solve them... but what I'm not sure about is whether this is an educational thing or actually asking for help breaking into someone's system, so don't know that I should answer. :/ – Peter Boughton Feb 10 '14 at 22:12

1 Answers1

0

There are two things wrong with this:

convert
(
   int,
   (
      select+top+1+table_name+from+
          information_schema.tables+where+table_name+not+in('tbl_info_id')
   )
)

The first is the plus signs. Replace them with single spaces.

The second is that you are attempting to convert a non-numeric string to an integer. That will not compute.

Regarding logic, your prose says that you want database names, but your code is looking for tablenames. If you want database names, do this:

select name
from sys.databases
Dan Bracuk
  • 20,699
  • 4
  • 26
  • 43