Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Knowledge shared

From: "Rayburn, Gordon" <grayburn () firstam com>
Date: Mon, 11 Feb 2002 19:18:48 -0800
You're halfway right.  If your procedure's variable is INT type, then you
cannot inject the xp_cmdshell execution.  Char in INT won't work.  Most
people will still use a char type and will still be vulnerable.  Part of
your security comes from good design of the db's as well, too bad most
developers won't pay attention.


-----Original Message-----
From: Brett Moore [SMTP:brett () softwarecreations co nz]
Sent: Thursday, January 31, 2002 3:44 AM
To:   webappsec () securityfocus com; pen-test () securityfocus com
Subject:      Knowledge shared

Ok so I have some thoughts. No official format.

1) SQL INJECTION

"SQL injection does not work with stored procedures"...Shakes pear 1654

example:

X = WEB VARIABLE = INTEGER

X = 10
EXEC MY_STOREDPROCEDURE X = EXEC MY_STOREDPROCEDURE 10
~
X = 10;EXEC MASTER..XP_CMDSHELL''
EXEC MY_STOREDPROCEDURE X = 10;EXEC MASTER..XP_CMDSHELL''

2) SQL TIP
SET NOEXEC = Compiles each query but does not execute it.

If 007 knowns the field names used in a web page creation then 007 can
obtain information from the second query.

3) http://www.microsoft.com/technet/security/bulletin/MS01-060.asp
Of course any tester that obtains sql injection capabilities on a test
site
can abuse this if the test site is not patched.



--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/



"MMS <firstam.com>" made the following
 annotations on 02/11/02 19:20:06
------------------------------------------------------------------------------
"THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED 
AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION.  IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS 
MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE 
THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH.  IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY 
REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM."

==============================================================================


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: