Hi,
You are not working against an MS-SQL Server, but rather against an Access
MDB file, connected to the Access ODBC driver.
The bad news are that with Access, the MSysObjects table has no read
permissions by default, so you will not be lucky there..
The good news are, judging from your mail, is that you have detailed error
messages in this application. It therefore may be possibile to extract the
names of the tables by creating detailed error messages.
What I suggest is try to generate all kinds of errors in the system in all
kinds of locations. Such errors can include insertion of meta characters
other than just quote, such as parenthesis, semicolon, remarks, etc. Also,
try playing with keywords such as HAVING and GROUP BY. As far as I recall,
MS tends to become descriptive about field names and such when inserting
such fields. Also, you can try union select from other tables, or even with
no tables (MS is lenient about SQL syntax, and allows performing a query
such as SELCT 1,2,3, without a FROM clause).
In addition to that, I strongly suggest guessing the table names. In most
PT's I did, users table tend to use a variation of one of the following (try
singular form, plural, etc).:
- Users
- Logins
- Accounts
- IDs
Etc..
Also, try following common table naming conventions, such as tblUsers, or
tUsers, or tbl_Users, etc. From my experience, if you sufficiently play with
standard prefixes/suffixes, and logical names, you've got a very high chance
of finding the table name.
Sincerely,
---
Ofer Maor
CTO
Hacktics Ltd.
Mobile: +972-54-6545406
Office: +972-9-9565840
Fax: +972-9-9500047
Web: www.hacktics.com
-----Original Message-----
From: Cedric Foll [mailto:cedric.foll@ac-rouen.fr]
Sent: Monday, September 26, 2005 4:01 PM
To: pen-test@securityfocus.com
Subject: MS SQL, find list of tables
Hi,
I'm doing a pen test on a IIS/MS SQL box and find a SQL Injection on it
which permit to execute some SQL command on it.
In fact I have a "select" where I can inject an "UNION something".
I'd like to use that in order to get login/passwd in the database.
I can do:
<somethin.asp?page=contact' UNION SELECT * FROM users WHERE '1'='1> But the
table users doesn't exist and I failed to guess an existing table name :(.
I've tried:
<something.asp?page=contact' UNION SELECT * FROM MSysObjects'> but I get
----
Microsoft OLE DB Provider for ODBC Drivers error '80040e09'
[Microsoft][ODBC Microsoft Access Driver] Record(s) cannot be read; no read
permission on 'MSysObjects'.
----
Someone has an idea ????
Regards
--
Cedric Foll
Ingיnieur Sיcuritי & Rיseaux
Division Informatique, Rectorat de Rouen
"More people are killed every year by pigs than by sharks, which shows you
how good we are at evaluating risk."
Bruce Schneier
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web attacks
before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
