Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

SQL Injection - Strange Result

From: "H. Daniel Regalado Arias" <dan57170 () yahoo com>
Date: Thu, 18 Oct 2007 13:00:10 -0700 (PDT)
Hi Dave and Friends, i have a problem while making a PHP -MSQQL-2000 Web App Assessment, after many days and due to the 
lack of experience i am able to bypass single quotes using char() or "[]" when trying to execute a store procedure, so, 
by now, i am able to inject code directly to the DataBase without being filtered but after sending the next test: 

http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar(8000)select%20@q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end;--

or another store procedure like:

http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D;--

the application responses with something like:
SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with results 
for another hstmt, SQL state S1000 in SQLExecDirect in C:\D\Inetpub\wwwroot\sssssssssss

I think its because of the first query (the one belongs to id=1 parameter, even though 1 results to 0 rows).
I have ridden a lot of sql injection .. Advanced, More, and so on, but all of them always execute a store procedure 
after a semicolon but no one says something about this error.

I thought to put a delay before my store procedure or a command to free the data base connection handler.

What you think???

By the way, i am not able to run xp_cmdshell because of the database user permissions, may be i could try to elevate 
privileges but always appears the error describe above.

Thanks in Advance.
 
H. Daniel Regalado Arias, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

----- Mensaje original ----
De: Dave Aitel <dave () immunityinc com>
Para: dailydave <dailydave () lists immunitysec com>
Enviado: jueves, 18 de octubre, 2007 12:40:06
Asunto: [Dailydave] SQL Hooker Release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://forum.immunityinc.com/index.php?topic=92.0

JMS and I decided to put our code where our mouth was.

It looks a lot like this:
PyCommands $ python sql_listener.py 80812.4
Set up XMLRPC Socket on 0.0.0.0 port 8081
select count(*) from users where userName='cow' and userPass='boy'
10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 -

Next up - file operation hooking perhaps? :>

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHF5p0B8JNm+PA+iURAtFlAKDhW3CVqVd6S621t4kdsQ1Y0sb2cgCg7JY5
QaZkG+j3E5b6NO0SJrR3yM8=
=bvnS
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave






      ____________________________________________________________________________________
¡Sé un mejor ambientalista!
Encuentra consejos para cuidar el lugar donde vivimos.                       
http://telemundo.yahoo.com/promos/mejorambientalista.html
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: