On 9/26/05, Cedric Foll <cedric.foll@ac-rouen.fr> wrote:
In fact I have a "select" where I can inject an "UNION something".
I'd like to use that in order to get login/passwd in the database.
I can do:
<somethin.asp?page=contact' UNION SELECT * FROM users WHERE '1'='1>
But the table users doesn't exist and I failed to guess an existing
table name :(.
You can try 'UNION ALL SELECT * FROM master.dbo.sysusers', which
should probably work. Crack the password hashes offline with the
tools available online (check NGSS). I assume you've already checked
if sa has a blank password.
If you want to dig deeper into the database, you can try scraping
master.dbo.syscomments' text column for passwords or more dbo objects.
If they're using stored procedures for anything, which I doubt, that
might net you a password in the clear or another injection vector .
For the column names and other system tables, refer to this page:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sys-u_76ur.asp
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
