Penetration Testing mailing list archives
RE: SQL injection from within a table - is it possible?
From: "Kelley, Brian" <BKelley () AgFirst com>
Date: Fri, 7 Jan 2005 09:38:11 -0500
It's possible if they are taking the resultset of a query and then issuing a dynamic SQL query using EXECUTE() or sp_executesql. Just querying a resultset, no. SQL Server will just consider all the characters present in the (n)char/(n)varchar/(n)text field as just that, one long continuation of characters.
-----Original Message----- From: Peter Bair [mailto:peterbair100 () hotmail com] Sent: Thursday, January 06, 2005 8:00 PM To: pen-test () securityfocus com Subject: SQL injection from within a table - is it possible? Is it possible to store an SQL injection string into a MSSQL database table, so when the database performs an action like through a stored proc, the SQL injection attack takes place? Not through the normal means of SQL injection via a web base means, but if you have the means of storing the data into the table directly. Example: An application has a users name in a table. Is it possible to assign the users name as the SQL injection string, something like name from table; exec master.xp_cmdshell "ping me"; -- so when the database is running a stored procedure with a select clause like select name from table it really is becomes select name from table; exec master.xp_cmdshell "ping me" ;-- from table Of course using the SQL query analyzer on the database table, all this works ok. But when I insert the SQL injection string into the table, as the name, and then query the table nothing happens. Is it possible or have I missed the point here? Thanks Peter.
Current thread:
- SQL injection from within a table - is it possible? Peter Bair (Jan 06)
- RE: SQL injection from within a table - is it possible? Eyal Udassin (Jan 07)
- Re: SQL injection from within a table - is it possible? Kevin Conaway (Jan 07)
- SQL Injection with DB2 and ASP Frederic Charpentier (Jan 07)
- <Possible follow-ups>
- RE: SQL injection from within a table - is it possible? Kelley, Brian (Jan 07)
- RE: SQL injection from within a table - is it possible? Burnett, Robert (Jan 07)
- RE: SQL injection from within a table - is it possible? Scovetta, Michael V (Jan 07)
- RE: SQL injection from within a table - is it possible? Ofer Shezaf (Jan 07)