Hola Andres,
The problem is that, despite I was able to enumerate tables and columns
(through base..syscolumns) I am not able to access any data of those
tables.
I'm not sure what you mean by base..syscolumns as far as I am concerned it
shouldn't work unless your database is called "base", is that so?
But in any cases, your assumption might be right about the fact that the web
site discusses with the SQL server with stored proc. Usually what I do to see
if it's the case is to try to insert a union select 1-- and look at the
reaction. Normally if it's a stored proc, it will not like it. But again it's
hard to explain it directly here, one must look at it and test it by himself.
So the first step to see if it's a question of rights is to look at the current
user with "user". If you get back dbo, it means you have something wrong with
your SQL statement.
Then my problem is how can I use an stored procedure to get some data? I
think I am able to run, but how can I do to get its results?
Now to answer your question about how to display results from a stored proc,
the solution will depend if you can get information back or not. Considering
you called your title "Blind SQL injection / Stored procedures" I would guess
that you used that technique to succeed to get the data. If so, well I suppose
you can still use my technique but it's going to be a long and tedious work.
So here is how I do it.
Normally every user has the rights on Pubs and Northwind database if they are
still on the server that is (almost 100% of the times). So you can create a
table there, then insert the results of the stored proc you want to use in this
table and go read them either blindly or from the output on the web page.
Here is an example:
TRUNCATE table pubs.dbo.tmp; INSERT INTO pubs.dbo.tmp (res) EXEC
MyDB..TheStoredProc
Tmp: being my created table
MyDB: being the database I want to use the stored procs
TheStoredProc: being the stored proc I want to execute
(res): is a field that is nvarchar(4000) containing my result
I truncate the table to remove previous data first
Of course, you will need to create fields in the tmp table depending of the
number of your stored proc's outputs you have. As I said, it's tedious but I
think it's the only way to display results from a stored proc. You can most
definitely not use a union with one, I've searched and searched... (Please tell
me if I'm wrong I'd love to know...)
François Larouche
______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with it
(herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this
message by any other person is not permitted.
If you are not the named addressee, please send it back immediately to the
sender and delete it. Unauthorized disclosure,
publication, use, dissemination, forwarding, printing or copying of this
message, either in whole or in part, is strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be guaranteed.
Our company shall not be liable for this
message if modified or falsified.
