RE: SQL injection from within a table - is it possible?

["Kelley, Brian" <BKelley () AgFirst com>]

It's possible if they are taking the resultset of a query and then issuing a dynamic SQL query using EXECUTE() or 
sp_executesql. Just querying a resultset, no. SQL Server will just consider all the characters present in the 
(n)char/(n)varchar/(n)text field as just that, one long continuation of characters. 


> -----Original Message-----
> From: Peter Bair [mailto:peterbair100 () hotmail com]
> Sent: Thursday, January 06, 2005 8:00 PM
> To: pen-test () securityfocus com
> Subject: SQL injection from within a table - is it possible?
>
>
>
>
> Is it possible to store an SQL injection string into a MSSQL 
> database table, so when the database performs an action like 
> through a stored proc, the SQL injection attack takes place?
>
>
>
> Not through the normal means of SQL injection via a web base 
> means, but if you have the means of storing the data into the 
> table directly.
>
>
>
> Example:
>
> An application has a users name in a table.  Is it possible 
> to assign the users name as the SQL injection string, something like 
>
>    name from table; exec master.xp_cmdshell "ping me"; --
>
>
>
> so when the database is running a stored procedure with a  
> select clause like
>
>
>
>    select name from table 
>
>
>
> it really is becomes
>
>
>
> select name from table; exec master.xp_cmdshell "ping me" ;-- 
> from table
>
>
>
>
>
> Of course using the SQL query analyzer on the database table, 
> all this works ok.
>
>
>
> But when I insert the SQL injection string into the table, as 
> the name, and then query the table nothing happens.
>
>
>
> Is it possible or have I missed the point here?
>
>
>
> Thanks Peter.