Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SQL Injecton - Strange Result

from [Danux] Network Security [Permanent Link]
Subject: SQL Injecton - Strange Result
Date: Thu, 18 Oct 2007 23:38:48 +0000 
Hi, after your excellent help i am able to bypass single quotes using
char(0xXX) SQL Server functions so you can do something like select *
from table where name = char(N,N,N,N) which is the same as select *
from table where name = 'NNNN' but without using single quotes.

Then, i was able to run store procedures using [ and ] instead of
single quotes too.

But now, i have a problem while making  the Injection (a PHP
-MSQQL-2000 Web App), which by the way, in not being filtered by the
PHP app, and goes directly to the SQL Server
,
The problem is after sending the next test:

http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar(8000)select%20@q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end;--

or another store procedure like:

http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D;--

the application responses with something like:
SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with
results for another hstmt, SQL state S1000 in SQLExecDirect in
c:\Inetpub\wwwroot\sssssssssss

I think its because of the first query (the one belongs to id=1
parameter, even though 1 results to 0 rows).
I have ridden a lot of sql injection .. Advanced, More, and so on, but
all of them always execute a store procedure after a semicolon but no
one says something about this error.

I thought to put a delay before my store procedure or a command to
free the data base connection handler.

What you think???

By the way, i am not able to run xp_cmdshell because of the database
user permissions, may be i could try to elevate privileges but always
appears the error describe above.

Thanks in Advance.


-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • SQL Injecton - Strange Result, Danux <=
Previous by Date:  RE: Directory Transversal, jfvanmeter
Next by Date:  Re: Thanks Alex and Jond -- metasploit and proxyport, H D Moore
Previous by Thread:  PenTesting Lotus Notes, jimmy wong
Next by Thread:  Wardriving with Yagi Antennas, Terry Cutler
Indexes:  [Date] [Thread] [Top] [All Lists]