Penetration Testing mailing list archives

RE: SQL

From: Javier Fernández-Sanguino <jfernandez () germinus com>
Date: Tue, 20 Nov 2001 09:41:39 +0100


You migh (90% chance) have a possibility to 

a) alter the database
b) execute remote commands in the SQL server

This is a common error (not quoting quotes :), this is due to the SQL
statement being executed in the ISS server (through an ODBC connection)
is just added the information given by the user.

Thus:

SELECT * from test where value='$user'

if user=' becomes:

SELECT * from test where value='''

which generates your error.

However, you can do the following
if user=test'; select * from test -- becomes:

SELECT * from test where value='test'; select * from test -- '

which is a valid SQL statement (two as a matter of fact) and
if user=test'; exec master..xp_cmdshell 'dir' -- becomes:

SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' --


which will run the 'dir' command in the SQL server (not in the IIS!)
This is fun
since, in some cases, the ISS server is in a DMZ and the SQL server is
in the internal
lan or through another firewall like this:

Internet ----- Fw -------- Fw --------- Local network
                    |           |
               IIS         SQL server 

or

Internet ----- Fw -------- Local network
                    |                |
               IIS          SQL server 


So you might be one step closer to your target !

Some references (fresh out from google):
http://www.sqlsecurity.com/faq-inj.asp
http://www.silksoft.co.za/data/sqlinjectionattack.htm

        Regards


        Javier Fernández-Sanguino Peña


Hello all,


I am doing a pen test against a IIS 5 web server. The web 
server requires a
user name and password via a logon form. if a single quote 
character is
entered (username)the following error is produced

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''.

I remember reading somewhere that this can be used to gain 
further access?
but i cant find the info.

Can any one help?

Thanks in advance.

Gary


--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus Security 
Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security 
vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

SQL Gary O'leary-Steele (Nov 19)
- Re: SQL Kevin Spett (Nov 20)
- Re: SQL root (Nov 20)
- Re: SQL neil-at-geekshanty-dot-com (Nov 20)
- Re: SQL Sverre H. Huseby (Nov 20)
- <Possible follow-ups>
- RE: SQL Holmes, Ben (Nov 20)
- RE: SQL Javier Fernández-Sanguino (Nov 20)
- RE: SQL Paul Midian (Nov 20)
- Re: SQL David . French (Nov 20)
- RE: SQL Andy Miller (Nov 21)
- Re: SQL Andrea secondote? (Nov 22)
- RE: SQL rudi carell (Nov 22)
- RE: SQL Javier Fernández-Sanguino (Nov 23)