RE: Blind SQL Injection / Stored procedures

You may want to try with:

exec master.dbo.sp_executesql N'...your query...'

This is in itself a stored procedure... But it allows you to run a query
within. This should work with sp3 unless you don't have enough privileges to
access master's stored procedures.

Good luck,
Victor

> -----Original Message-----
> From: Andres Molinetti [mailto:andymolinetti@hotmail.com] 
> Sent: November 15, 2005 12:41 PM
> To: pen-test@securityfocus.com
> Cc: websecurity@webappsec.org; webappsec@securityfocus.com
> Subject: Blind SQL Injection / Stored procedures
>
> Hi List,
>
> I am currently testing a clients Web Site. I have found that 
> it is vulnerable to Blind SQL Injection, so I have been able 
> to enumerate tables, columns, etc. It interact with an SQL 
> Server 2000 SP3.
>
> The problem is that, despite I was able to enumerate tables 
> and columns (through base..syscolumns) I am not able to 
> access any data of those tables.
>
> I think this can be happening because the priviledges are 
> assigned to stored procedures, and not directly to users, 
> which is a good practice.
>
> Then my problem is how can I use an stored procedure to get 
> some data? I think I am able to run, but how can I do to get 
> its results?
>
> I know that there is an xp_makewebtask which lets me write 
> sql queries to a file, but as the sql server resides in a 
> different machine that the web server, I cannot get those files.
>
> Thanks in advance,
>
> Andy
>
> _________________________________________________________________
> Dale rienda suelta a tu tiempo libre. Encuentra mil ideas 
> para exprimir tu ocio con MSN Entretenimiento. 
> http://www.sm4rt.com/links