background image

Fast-Track

165

attacks by focusing on query string and POST parameters within web applica-
tions. The following attack relies on the attacker knowing that SQL injection 
is present on the target website, and also knowing which parameter is vulner-
able. This attack will work only on MS SQL–based systems.

SQL Injector—Query String Attack

Begin the setup for the attack by selecting 

Microsoft SQL Tools

 from the main 

menu and then 

MSSQL Injector

  , as shown below.

Pick a list of the tools from below:

1. MSSQL Injector

2. MSSQL Bruter
3. SQLPwnage

Enter your choice : 

1

The simplest form of SQL injection is within the query string, typically 

sent in the URL field from the browser to the server. This URL string can 
often contain parameters that inform a dynamic site what information is 
being requested. Fast-Track distinguishes which field to attack by inserting 
an 

'INJECTHERE

 into the vulnerable query string parameter, like this:

http://www.secmaniac.com/index.asp?id='INJECTHERE&date=2011

When Fast-Track starts to exploit this vulnerability, it will look for the 

id

string in all fields to determine which field to attack. Let’s look at this in 

action by selecting the first option, 

Query String Parameter Attack

.

Enter which SQL Injector you want to use

1. SQL Injector - Query String Parameter Attack

2. SQL Injector - POST Parameter Attack
3. SQL Injector - GET FTP Payload Attack
4. SQL Injector - GET Manual Setup Binary Payload Attack

Enter your choice: 

1

. . . SNIP . . .

Enter the URL of the susceptible site, remember to put 'INJECTHERE for the 
injectable parameter

Example:http://www.thisisafakesite.com/blah.aspx?id='INJECTHERE&password=blah

 

Enter here:

 

http://www.secmaniac.com/index.asp?id='INJECTHERE&date=2011

Sending initial request to enable xp_cmdshell if disabled...
Sending first portion of payload (1/4)...
Sending second portion of payload (2/4)...
Sending third portion of payload (3/4)...
Sending the last portion of the payload (4/4)...