Re: Blind SQL Injection / Stored procedures

Results will come back just like any other regular query.

----- Original Message ----- 
From: "Andres Molinetti" <andymolinetti@hotmail.com>
To: <pen-test@securityfocus.com>
Cc: <websecurity@webappsec.org>; <webappsec@securityfocus.com>
Sent: Tuesday, November 15, 2005 1:40 PM
Subject: Blind SQL Injection / Stored procedures


> Hi List,
>
> I am currently testing a clients Web Site. I have found that it is 
> vulnerable to Blind SQL Injection, so I have been able to enumerate 
> tables, columns, etc. It interact with an SQL Server 2000 SP3.
>
> The problem is that, despite I was able to enumerate tables and columns 
> (through base..syscolumns) I am not able to access any data of those 
> tables.
>
> I think this can be happening because the priviledges are assigned to 
> stored procedures, and not directly to users, which is a good practice.
>
> Then my problem is how can I use an stored procedure to get some data? I 
> think I am able to run, but how can I do to get its results?
>
> I know that there is an xp_makewebtask which lets me write sql queries to 
> a file, but as the sql server resides in a different machine that the web 
> server, I cannot get those files.
>
> Thanks in advance,
>
> Andy
>
> _________________________________________________________________
> Dale rienda suelta a tu tiempo libre. Encuentra mil ideas para exprimir tu 
> ocio con MSN Entretenimiento. http://entretenimiento.msn.es/