Penetration Testing mailing list archives
RE: Knowledge shared
From: "Rayburn, Gordon" <grayburn () firstam com>
Date: Mon, 11 Feb 2002 19:18:48 -0800
You're halfway right. If your procedure's variable is INT type, then you cannot inject the xp_cmdshell execution. Char in INT won't work. Most people will still use a char type and will still be vulnerable. Part of your security comes from good design of the db's as well, too bad most developers won't pay attention.
-----Original Message----- From: Brett Moore [SMTP:brett () softwarecreations co nz] Sent: Thursday, January 31, 2002 3:44 AM To: webappsec () securityfocus com; pen-test () securityfocus com Subject: Knowledge shared Ok so I have some thoughts. No official format. 1) SQL INJECTION "SQL injection does not work with stored procedures"...Shakes pear 1654 example: X = WEB VARIABLE = INTEGER X = 10 EXEC MY_STOREDPROCEDURE X = EXEC MY_STOREDPROCEDURE 10 ~ X = 10;EXEC MASTER..XP_CMDSHELL'' EXEC MY_STOREDPROCEDURE X = 10;EXEC MASTER..XP_CMDSHELL'' 2) SQL TIP SET NOEXEC = Compiles each query but does not execute it. If 007 knowns the field names used in a web page creation then 007 can obtain information from the second query. 3) http://www.microsoft.com/technet/security/bulletin/MS01-060.asp Of course any tester that obtains sql injection capabilities on a test site can abuse this if the test site is not patched. -------------------------------------------------------------------------- -- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
"MMS <firstam.com>" made the following annotations on 02/11/02 19:20:06 ------------------------------------------------------------------------------ "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM." ============================================================================== ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: Knowledge shared Rayburn, Gordon (Feb 12)