Penetration Testing mailing list archives
SQL Injecton - Strange Result
From: Danux <danuxx () gmail com>
Date: Thu, 18 Oct 2007 23:38:48 +0000
Hi, after your excellent help i am able to bypass single quotes using char(0xXX) SQL Server functions so you can do something like select * from table where name = char(N,N,N,N) which is the same as select * from table where name = 'NNNN' but without using single quotes. Then, i was able to run store procedures using [ and ] instead of single quotes too. But now, i have a problem while making the Injection (a PHP -MSQQL-2000 Web App), which by the way, in not being filtered by the PHP app, and goes directly to the SQL Server , The problem is after sending the next test: http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar(8000)select%20@q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end;-- or another store procedure like: http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D;-- the application responses with something like: SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with results for another hstmt, SQL state S1000 in SQLExecDirect in c:\Inetpub\wwwroot\sssssssssss I think its because of the first query (the one belongs to id=1 parameter, even though 1 results to 0 rows). I have ridden a lot of sql injection .. Advanced, More, and so on, but all of them always execute a store procedure after a semicolon but no one says something about this error. I thought to put a delay before my store procedure or a command to free the data base connection handler. What you think??? By the way, i am not able to run xp_cmdshell because of the database user permissions, may be i could try to elevate privileges but always appears the error describe above. Thanks in Advance. -- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SQL Injecton - Strange Result Danux (Oct 19)