Use SQL Injection for Trial and error with SQL Server 08

This night, i wanna share a code development for inject a database server with some example database commonly,  let check this out for further trick.

var Shipcity;
ShipCity = Request.form ("PersonTitle");
var sql = "select * from OrdersTable where PersonTitle = '" + ShipCity + "'";


In those section use a commonly CRUD application ;

SELECT * FROM OrdersTable WHERE PersonTitle = 'KGRHRoySuryo' 

Specified that KGRHRoySuryo is a data for person title in a db_****, hence 

KGRHRoySuryo'; drop table OrdersTable--

So, the complete command 

SELECT * FROM OrdersTable WHERE PersonTitle = 'KGRHRoySuryo';drop table OrdersTable--' 

CRUD implementation is very useful in this section, so to generate the data in real view, populate in to this one,
  • XML
  • use Transact-SQL command to execute
  • Real data population up to date
  • Use the parser command such as AUX, CLOCK$, COM1, COM8, CON, CONFIG$, LPT1,LPT8, NUL, PRN

Command in transaction SQL likewise = ;, ‘, –, /* … */, xp_

Gunakan parameter lebih lanjut untuk bisa mengeksekusinya utk mendapatkan ID Login, likewsie ;

SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id",
     SqlDbType.VarChar, 11);
parm.Value = Login.Text;

atau the simple algorithm for this mengumpulkan informasi login yang sudah terbiasa dilakukan ;

SqlDataAdapter myCommand =
new SqlDataAdapter("LoginStoredProcedure '" +
                               Login.Text + "'", conn);

use the parameter lain untuk bisa membuka tabel dari salah satu db yg ada;

SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", conn);
SQLParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id",
                        SqlDbType.VarChar, 11);
Parm.Value = Login.Text;

Use replace function to print the text.

private string SafeSqlLiteral(string inputSQL)
{
  return inputSQL.Replace("'", "''");
}

or, gunakan fungsi LIKE untuk mengumpulkan informasi dg parameter lainnya 

s = s.Replace("[", "[[]");
s = s.Replace("%", "[%]");
s = s.Replace("_", "[_]");xp_executeSQL yang disebut diatas bisa diimplementasikan dg fungsi2 terlampir ;

SELECT object_Name(id) FROM syscomments

WHERE UPPER(text) LIKE ‘%EXECUTE  (%’

OR UPPER(text) LIKE ‘%EXECUTE  (%’

OR UPPER(text) LIKE ‘%EXECUTE   (%’

OR UPPER(text) LIKE ‘%EXECUTE    (%’

OR UPPER(text) LIKE ‘%EXEC (%’

OR UPPER(text) LIKE ‘%EXEC  (%’

OR UPPER(text) LIKE ‘%EXEC   (%’

OR UPPER(text) LIKE ‘%EXEC    (%’

OR UPPER(text) LIKE ‘%SP_EXECUTESQL%’

QUOTENAME() Domba REPLACE()

 Belum selesai, keburu batch command merestarttttttttttttttttttttt....
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: