Brute forcing a M$ SQL Server password through SQL Injection

[Roman Medina <roman () rs-labs com>]

 Hello,

 I hope somebody can help me :-) Let's suppose the following scenario:
a web app running on IIS. The app is written in ASP and has a
search.asp script, which is not checked/secured against SQL injection.
All data is stored in an updated SQL Server 2000 SP3. The search
script is using a very limited SQL non-priviledged user so although
you can inject SQL sentencies, in practice you can perform write
operations such as insert, update, drop, etc. Indeed, select
permission is only granted in a few tables. Stored procedures seems
also protected (you cannot execute them). You can do "select" on some
system tables, nothing more. The goal is to elevate priviledges.

 How would you achieve this? I'm not a SQL Server expert at all, so
perhaps you have any ideas to share with me. I've thought of
bruteforcing any of the SQL users (like "sa"), but:
- do you think it could be a good idea? Which maximum length of
password would be reasonable or candidate to be broken in such a way?
- is it possible to run a SQL script through vulnerable .asp using SQL
injection, to perform the bruteforce attack? (I think such way is the
only valid one, to get an aceptable cracking speed)
- in that case, could you provide some test code for it?

 Any other ideas are greatly welcome. Thanks in advance.

 Regards,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]


----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core