Penetration Testing mailing list archives

RE: SQL

From: Andy Miller <Andy.Miller () insight co uk>
Date: Wed, 21 Nov 2001 17:20:05 -0000

Don't you need the returned recordset to be written to the html stream in
order to see anything useful?  For instance if you are just looking at a
login page you may not get any joy with appending extra SELECTs?  We have
just been playing with exactly this!

Andrew Miller
Technical Research Consultant
Insight Consulting Limited
Tel.  (44) 01932 241000
Fax. (44) 01932 236854
Andy.miller () insight co uk
www.insight.co.uk

 -----Original Message-----
From:   Javier Fernández-Sanguino [mailto:jfernandez () germinus com] 
Sent:   20 November 2001 08:42
To:     garyo () sec-1 com; PEN-TEST () securityfocus com
Subject:        RE: SQL


You migh (90% chance) have a possibility to 

a) alter the database
b) execute remote commands in the SQL server

This is a common error (not quoting quotes :), this is due to the SQL
statement being executed in the ISS server (through an ODBC connection)
is just added the information given by the user.

Thus:

SELECT * from test where value='$user'

if user=' becomes:

SELECT * from test where value='''

which generates your error.

However, you can do the following
if user=test'; select * from test -- becomes:

SELECT * from test where value='test'; select * from test -- '

which is a valid SQL statement (two as a matter of fact) and
if user=test'; exec master..xp_cmdshell 'dir' -- becomes:

SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' --


which will run the 'dir' command in the SQL server (not in the IIS!)
This is fun
since, in some cases, the ISS server is in a DMZ and the SQL server is
in the internal
lan or through another firewall like this:

Internet ----- Fw -------- Fw --------- Local network
                    |           |
               IIS         SQL server 

or

Internet ----- Fw -------- Local network
                    |                |
               IIS          SQL server 


So you might be one step closer to your target !

Some references (fresh out from google):
http://www.sqlsecurity.com/faq-inj.asp
http://www.silksoft.co.za/data/sqlinjectionattack.htm

        Regards


        Javier Fernández-Sanguino Peña


Hello all,


I am doing a pen test against a IIS 5 web server. The web 
server requires a
user name and password via a logon form. if a single quote 
character is
entered (username)the following error is produced

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''.

I remember reading somewhere that this can be used to gain 
further access?
but i cant find the info.

Can any one help?

Thanks in advance.

Gary


--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus Security 
Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security 
vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


_____________________________________________________________________
This message has been checked for all known viruses by bluesource. For
further information visit www.blue-source.com  

powered by Messagelabs


------------Insight Consulting Limited--------------------------------
Insight Consulting Limited is a leading specialist provider of independent services in all aspects of information and 
communications security, business continuity and risk management from consultancy, implementation, testing and training 
to recruitment, research and outsourcing.
---------------------Disclaimer----------------------------------------
Internet communications are not secure and therefore Insight Consulting Limited does not accept legal responsibility 
for the contents of this message.  Any views or opinions presented are solely those of the author and do not 
necessarily represent those of Insight Consulting Limited unless otherwise specifically stated. If this message is 
received by anyone other than the addressee, please notify the sender and then delete the message and any attachments 
from your computer.
-----------------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

SQL Gary O'leary-Steele (Nov 19)
- Re: SQL Kevin Spett (Nov 20)
- Re: SQL root (Nov 20)
- Re: SQL neil-at-geekshanty-dot-com (Nov 20)
- Re: SQL Sverre H. Huseby (Nov 20)
- <Possible follow-ups>
- RE: SQL Holmes, Ben (Nov 20)
- RE: SQL Javier Fernández-Sanguino (Nov 20)
- RE: SQL Paul Midian (Nov 20)
- Re: SQL David . French (Nov 20)
- RE: SQL Andy Miller (Nov 21)
- Re: SQL Andrea secondote? (Nov 22)
- RE: SQL rudi carell (Nov 22)
- RE: SQL Javier Fernández-Sanguino (Nov 23)