WebApp Sec mailing list archives
RE: Blind SQL Injection / Stored procedures
From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Wed, 16 Nov 2005 14:00:48 +0000
I'm not sure what you mean by base..syscolumns as far as I am concerned it shouldn't work unless your database is called "base", is that so?
Sorry for that not making it clear. I have discovered that there were multiple databases in the server so I tried to enumerate the tables and columns in those too. It should say 'Database..syscolums'.
But in any cases, your assumption might be right about the fact that the web site discusses with the SQL server with stored proc. Usually what I do to see if it's the case is to try to insert a union select 1-- and look at the reaction. Normally if it's a stored proc, it will not like it. But again it's hard to explain it directly here, one must look at it and test it by himself.So the first step to see if it's a question of rights is to look at the current user with "user". If you get back dbo, it means you have something wrong with your SQL statement.
I am sure that the username is not DBO. It is a non privileged use named "webapp".
> Then my problem is how can I use an stored procedure to get some data? I > think I am able to run, but how can I do to get its results?Now to answer your question about how to display results from a stored proc, the solution will depend if you can get information back or not. Considering you called your title "Blind SQL injection / Stored procedures" I would guess that you used that technique to succeed to get the data. If so, well I suppose you can still use my technique but it's going to be a long and tedious work.So here is how I do it.Normally every user has the rights on Pubs and Northwind database if they are still on the server that is (almost 100% of the times). So you can create a table there, then insert the results of the stored proc you want to use in this table and go read them either blindly or from the output on the web page.Here is an example:TRUNCATE table pubs.dbo.tmp; INSERT INTO pubs.dbo.tmp (res) EXEC MyDB..TheStoredProcTmp: being my created table MyDB: being the database I want to use the stored procs TheStoredProc: being the stored proc I want to execute (res): is a field that is nvarchar(4000) containing my result I truncate the table to remove previous data firstOf course, you will need to create fields in the tmp table depending of the number of your stored proc's outputs you have. As I said, it's tedious but I think it's the only way to display results from a stored proc. You can most definitely not use a union with one, I've searched and searched... (Please tell me if I'm wrong I'd love to know...)
I don't really understand the "res" field you mention. As I understand I will only need to create the table with the fields the proc is outputting... hope you can explain this a bit more...
François Larouche ______________________________________________________________________________________________________________________________This email, the information contained within and any files transmitted with it (herein after referred as "the message") are confidential. It is intended solely for the addressees and access to this message by any other person is not permitted. If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized disclosure, publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is strictlyprohibited.Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for thismessage if modified or falsified.
_________________________________________________________________Acepta el reto MSN Premium: Protección para tus hijos en internet. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil
Current thread:
- Blind SQL Injection / Stored procedures Andres Molinetti (Nov 15)
- Re: Blind SQL Injection / Stored procedures Adam Tuliper (Nov 15)
- Re: Blind SQL Injection / Stored procedures Laramies (Nov 16)
- RE: Blind SQL Injection / Stored procedures Victor Chapela (Nov 18)
- <Possible follow-ups>
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 16)
- RE: Blind SQL Injection / Stored procedures Andres Molinetti (Nov 16)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 17)
- Re: Blind SQL Injection / Stored procedures Phillip Powell (Nov 17)
- RE: Blind SQL Injection / Stored procedures Evans, Arian (Nov 17)
- Re: [WEB SECURITY] RE: Blind SQL Injection / Stored procedures Frederic Charpentier (Nov 17)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 18)
- Re: Blind SQL Injection / Stored procedures ascii (Nov 18)