How to extract data using SQL injection on a vulnerable ASP.NET application?

Question

I managed to find a vulnerability in a so-called friend of mines website and I want to show him that his website is vulnerable to data extraction.

When I use something like yes')-- as post I get the following debug info:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' ) or (r.nrinreg=1 and datainreg='01.01.2017' and r.adresant like '%yes' at line 3

So basically my input is inside some brackets. Doing yes%')-- results in a slow-loading page that results with nothing but blank. So that would result in something like this query:

or (r.nrinreg=1 and datainreg='01.01.2017' and r.adresant like '%yes%') -- whatever is after the comment

How can I get any data or MySQL version from that query knowing that the input isn't escaped?

Also, what is this kind of SQL injection called?

ASP.NET Version:2.0.50727.8762

Answer 1

Sometimes (most of the time) you can't. Its so called blind SQL injection. What you usually can do is to delete (you don't usually want to) or create or modify some data (yes, this is what you want to do) or to avoid some expression evaluation (ie password = password).

Typical tasks you want to do is to assign admin role to your account or to change admin password, force the application to present modified data to target users (stored XSS and many other things) or just to login without knowledge of username/password. Moreover, on MS SQL (if badly configured) you can also start system commands so in the end there are many possibilities to do including obtaining complete control over the server and further servers in the infrastructure.

Good luck but be ethical!

Answer 2

This is blind SQL injection.

You must find out how many columns are used in that SQL query, and then, use a UNION to append the data you want.

To get the number of columns, try this, stopping on 1st success:

') UNION SELECT 1 -- ') UNION SELECT 1, 2 -- ') UNION SELECT 1, 2, 3 -- ... ') UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9... --

I've already found some cases where MySQL requires a space before and after the comment tag (using '--' fails while ' -- ' works; the ' are irrelevant, and are just here to show you the extraneous spaces) so it might be worth keeping the extra ending space.

The query will fail until you get the right number of columns. When so, find where each column ends up in the page (some columns might not be used in the page so the data it contains will never reach your screen). Then, you can inject any SELECT you want, and retrieve infos like MySQL version:

') UNION SELECT VERSION(), 2, 3, 4...

Note that some columns might be used internally, like an id column: if such column has improper data, your final page might load, but will be empty (imagine that the website is a forum, and 1st column is the id of the author of each message, and if the author does not exist, the page crashes: in such case, you must have an existing ID in the 1st column).

Another good way of getting infos is SELECTing them from the information_schema: this is the reason why your website MySQL user must have the least privileges possible, so it cannot access that critical table (same for some others like mysql or performance_schema).

Last, don't forget this can be done only if the web owner allows you to, as a very efficient proof of concept of a real attack (all these steps can be performed automatically by SQLMap or software like that).