Penetration Testing mailing list archives

RE: SQL

From: Javier Fernández-Sanguino <jfernandez () germinus com>
Date: Fri, 23 Nov 2001 10:15:17 +0100


Don't you need the returned recordset to be written to the 
html stream in
order to see anything useful?  For instance if you are just 
looking at a
login page you may not get any joy with appending extra 
SELECTs?  We have
just been playing with exactly this!


        Not really, it depends on the system configuration. If you can
(and you quite probably can) run 'exec master.xp_cmdshell' you can have
the queries directed to files in the Web server (if you know its
location) and retrieve them from there. You can even (check the stored
procedures for SQL Server) send you mails with the results of the
queries or with execution results! (I did this once and was kind of fun)

        So, even if not shown inline that does not mean you cannot
retrieve any information, but you have to use alternative ways which
will work (or not) depending on the system's configuration and the
access to the permiter. 

        One easyway to determine if you are effectively executing code
is doing incremental tests:

1.- test with ' 
        ODBC error
2.- test with '-- 
        error? (depends on query)
3.- test with ',...fillin data.. ) -- 
        error?
(keep going until you get no errors, this, of course, is easier if you
know the code beforehand, there are many ISS vulns which will get you to
it...)
4.- test with ', ...data... ; select * from asdfadfas -- 
        Probable error since the table 'asdfadfas' does not exist
5.- test with ', ...data... ; select * from AVALIDSQLTABLE -- 
        No error since that table (take a look at default tables for SQL
server) does exist.
6.- test with ', .... data... ; exec master..xp_cmdshell 'dir',no_output
--
        No error? Then you are executing code. Check the error (if there
is one) since it might say that the user running the query cannot
execute stored procedures...


        Do you get the idea?

        Javi

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: SQL, (continued)
- Re: SQL root (Nov 20)
- Re: SQL neil-at-geekshanty-dot-com (Nov 20)
- Re: SQL Sverre H. Huseby (Nov 20)
- RE: SQL Holmes, Ben (Nov 20)
- RE: SQL Javier Fernández-Sanguino (Nov 20)
- RE: SQL Paul Midian (Nov 20)
- Re: SQL David . French (Nov 20)
- RE: SQL Andy Miller (Nov 21)
- Re: SQL Andrea secondote? (Nov 22)
- RE: SQL rudi carell (Nov 22)
- RE: SQL Javier Fernández-Sanguino (Nov 23)