Penetration Testing mailing list archives
RE: MS SQL, find list of tables
From: "Ofer Maor" <ofer.hacktics () gmail com>
Date: Tue, 27 Sep 2005 18:10:39 +0200
Hi, You are not working against an MS-SQL Server, but rather against an Access MDB file, connected to the Access ODBC driver. The bad news are that with Access, the MSysObjects table has no read permissions by default, so you will not be lucky there.. The good news are, judging from your mail, is that you have detailed error messages in this application. It therefore may be possibile to extract the names of the tables by creating detailed error messages. What I suggest is try to generate all kinds of errors in the system in all kinds of locations. Such errors can include insertion of meta characters other than just quote, such as parenthesis, semicolon, remarks, etc. Also, try playing with keywords such as HAVING and GROUP BY. As far as I recall, MS tends to become descriptive about field names and such when inserting such fields. Also, you can try union select from other tables, or even with no tables (MS is lenient about SQL syntax, and allows performing a query such as SELCT 1,2,3, without a FROM clause). In addition to that, I strongly suggest guessing the table names. In most PT's I did, users table tend to use a variation of one of the following (try singular form, plural, etc).: - Users - Logins - Accounts - IDs Etc.. Also, try following common table naming conventions, such as tblUsers, or tUsers, or tbl_Users, etc. From my experience, if you sufficiently play with standard prefixes/suffixes, and logical names, you've got a very high chance of finding the table name. Sincerely, --- Ofer Maor CTO Hacktics Ltd. Mobile: +972-54-6545406 Office: +972-9-9565840 Fax: +972-9-9500047 Web: www.hacktics.com -----Original Message----- From: Cedric Foll [mailto:cedric.foll () ac-rouen fr] Sent: Monday, September 26, 2005 4:01 PM To: pen-test () securityfocus com Subject: MS SQL, find list of tables Hi, I'm doing a pen test on a IIS/MS SQL box and find a SQL Injection on it which permit to execute some SQL command on it. In fact I have a "select" where I can inject an "UNION something". I'd like to use that in order to get login/passwd in the database. I can do: <somethin.asp?page=contact' UNION SELECT * FROM users WHERE '1'='1> But the table users doesn't exist and I failed to guess an existing table name :(. I've tried: <something.asp?page=contact' UNION SELECT * FROM MSysObjects'> but I get ---- Microsoft OLE DB Provider for ODBC Drivers error '80040e09' [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot be read; no read permission on 'MSysObjects'. ---- Someone has an idea ???? Regards -- Cedric Foll Ingיnieur Sיcuritי & Rיseaux Division Informatique, Rectorat de Rouen "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk." Bruce Schneier ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- MS SQL, find list of tables Cedric Foll (Sep 27)
- Re: MS SQL, find list of tables Cedric Foll (Sep 28)
- RE: MS SQL, find list of tables Ofer Maor (Sep 28)
- Re: MS SQL, find list of tables Jon DeShirley (Sep 28)
- Re: MS SQL, find list of tables Bernhard Mueller (Sep 28)
- <Possible follow-ups>
- RE: MS SQL, find list of tables BHAI JAINUDDINBHAI, TRUNKWALA KUTBUDDIN (TRUNKWALA KUTBUDDIN)** CTR ** (Sep 28)
- RE: MS SQL, find list of tables Velasco Herrero, Jose Antonio (Sep 28)
- RE: MS SQL, find list of tables LAROUCHE Francois (Sep 29)