WebApp Sec mailing list archives
RE: Blind SQL Injection / Stored procedures
From: "Victor Chapela" <victor () sm4rt com>
Date: Fri, 18 Nov 2005 00:22:41 -0600
You may want to try with: exec master.dbo.sp_executesql N'...your query...' This is in itself a stored procedure... But it allows you to run a query within. This should work with sp3 unless you don't have enough privileges to access master's stored procedures. Good luck, Victor
-----Original Message----- From: Andres Molinetti [mailto:andymolinetti () hotmail com] Sent: November 15, 2005 12:41 PM To: pen-test () securityfocus com Cc: websecurity () webappsec org; webappsec () securityfocus com Subject: Blind SQL Injection / Stored procedures Hi List, I am currently testing a clients Web Site. I have found that it is vulnerable to Blind SQL Injection, so I have been able to enumerate tables, columns, etc. It interact with an SQL Server 2000 SP3. The problem is that, despite I was able to enumerate tables and columns (through base..syscolumns) I am not able to access any data of those tables. I think this can be happening because the priviledges are assigned to stored procedures, and not directly to users, which is a good practice. Then my problem is how can I use an stored procedure to get some data? I think I am able to run, but how can I do to get its results? I know that there is an xp_makewebtask which lets me write sql queries to a file, but as the sql server resides in a different machine that the web server, I cannot get those files. Thanks in advance, Andy _________________________________________________________________ Dale rienda suelta a tu tiempo libre. Encuentra mil ideas para exprimir tu ocio con MSN Entretenimiento. http://www.sm4rt.com/links
Current thread:
- Blind SQL Injection / Stored procedures Andres Molinetti (Nov 15)
- Re: Blind SQL Injection / Stored procedures Adam Tuliper (Nov 15)
- Re: Blind SQL Injection / Stored procedures Laramies (Nov 16)
- RE: Blind SQL Injection / Stored procedures Victor Chapela (Nov 18)
- <Possible follow-ups>
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 16)
- RE: Blind SQL Injection / Stored procedures Andres Molinetti (Nov 16)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 17)
- Re: Blind SQL Injection / Stored procedures Phillip Powell (Nov 17)
- RE: Blind SQL Injection / Stored procedures Evans, Arian (Nov 17)
- Re: [WEB SECURITY] RE: Blind SQL Injection / Stored procedures Frederic Charpentier (Nov 17)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 18)
- Re: Blind SQL Injection / Stored procedures ascii (Nov 18)