Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SQL

From: "Holmes, Ben" <Ben.Holmes () getronics com>
Date: Tue, 20 Nov 2001 19:55:52 +1100
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm not all that knowledgeable about SQL testing.. I usually get help from
people who know a lot about SQL to help with the actual code syntax, but,
here is a thing about the parsing of unquoted code to an SQL server (and
that is what it sounds like you have).  I am flying on my own here...

You may have a hole there.

Try (as a username): aa'; CREATE USER hack WITH SYSID 0 PASSWORD 'hacked' \*

The "\*" is the "Quote start" character in SQL and will quote the rest of
the command out.

You may have to make the password something like: *\; SET foo TO 'bar

Or something to that effect.

This should pass the command like this to the SQL server:

<stuff the programmer thought would go there> USER to 'aa'; CREATE USER hack
WITH SYSID 0 PASSWORD 'hacked' \*<more stuff that is now commented out>*\;
SET foo TO 'bar'

The extra quote on the end is the one that has caused you grief.

Just a thought.  It certainly warrants trying some SQL commands.

Here are some references to look at:

List of SQL commands:
http://www.postgresql.org/idocs/index.php?sql-commands.html

A quick search brings up a good article about hacking SQL through bad perl
at: http://www.attrition.org/security/advisory/rfp/rfp2k01

You may be able to find even more stuff at "http://www.wiretrip.net/rfp";

- -- Benjamin Holmes
Getronics, Brisbane, Queensland, AUSTRALIA


-----Original Message-----
From: Gary O'leary-Steele [mailto:GaryO () sec-1 com]
Sent: Tuesday, 20 November 2001 2:24 AM
To: PEN-TEST () securityfocus com
Subject: SQL


Hello all,


I am doing a pen test against a IIS 5 web server. The web 
server requires a
user name and password via a logon form. if a single quote 
character is
entered (username)the following error is produced

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''.

I remember reading somewhere that this can be used to gain 
further access?
but i cant find the info.

Can any one help?

Thanks in advance.

Gary


--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus Security 
Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security 
vulnerabilities please see:
https://alerts.securityfocus.com/



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: Pee Gee Peeeeee!

iQA/AwUBO/oamHLvuelW5gClEQJyfACfaYYUwKXZyBgYToNYJMxmDZIuqZgAoM7G
ReMm/fhHDz1AHrbxpWKu/OB6
=0sjP
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: