I'm not sure what you mean by base..syscolumns as far as I am concerned it
shouldn't work unless your database is called "base", is that so?
Sorry for that not making it clear. I have discovered that there were
multiple databases in the server so I tried to enumerate the tables and
columns in those too. It should say 'Database..syscolums'.
But in any cases, your assumption might be right about the fact that the
web site discusses with the SQL server with stored proc. Usually what I do
to see if it's the case is to try to insert a union select 1-- and look at
the reaction. Normally if it's a stored proc, it will not like it. But
again it's hard to explain it directly here, one must look at it and test
it by himself.
So the first step to see if it's a question of rights is to look at the
current user with "user". If you get back dbo, it means you have something
wrong with your SQL statement.
I am sure that the username is not DBO. It is a non privileged use named
"webapp".
> Then my problem is how can I use an stored procedure to get some data? I
> think I am able to run, but how can I do to get its results?
Now to answer your question about how to display results from a stored
proc, the solution will depend if you can get information back or not.
Considering you called your title "Blind SQL injection / Stored procedures"
I would guess that you used that technique to succeed to get the data. If
so, well I suppose you can still use my technique but it's going to be a
long and tedious work.
So here is how I do it.
Normally every user has the rights on Pubs and Northwind database if they
are still on the server that is (almost 100% of the times). So you can
create a table there, then insert the results of the stored proc you want
to use in this table and go read them either blindly or from the output on
the web page.
Here is an example:
TRUNCATE table pubs.dbo.tmp; INSERT INTO pubs.dbo.tmp (res) EXEC
MyDB..TheStoredProc
Tmp: being my created table
MyDB: being the database I want to use the stored procs
TheStoredProc: being the stored proc I want to execute
(res): is a field that is nvarchar(4000) containing my result
I truncate the table to remove previous data first
Of course, you will need to create fields in the tmp table depending of the
number of your stored proc's outputs you have. As I said, it's tedious but
I think it's the only way to display results from a stored proc. You can
most definitely not use a union with one, I've searched and searched...
(Please tell me if I'm wrong I'd love to know...)
I don't really understand the "res" field you mention. As I understand I
will only need to create the table with the fields the proc is outputting...
hope you can explain this a bit more...
François Larouche
______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with
it (herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to
this message by any other person is not permitted.
If you are not the named addressee, please send it back immediately to the
sender and delete it. Unauthorized disclosure,
publication, use, dissemination, forwarding, printing or copying of this
message, either in whole or in part, is strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be
guaranteed. Our company shall not be liable for this
message if modified or falsified.
_________________________________________________________________
Acepta el reto MSN Premium: Protección para tus hijos en internet.
Descárgalo y pruébalo 2 meses gratis.
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil
