Penetration Testing mailing list archives
Re: [PEN-TEST] sql injection with stored procedures
From: Ted Behling <TBehling () MONARCHIS NET>
Date: Thu, 15 Mar 2001 15:30:26 -0500
Try grabbing the global.asa file, with something like: http://servername.com/global.asa+.htr Lots of poorly-secured WinNT boxes still haven't applied this patch. You'll have to View Source in your browser to look at the file. If this succeeds, you'll probably have the username/password for the ODBC DSN used to hit the SQL Server. Given that, just make a new DSN on your own computer to access their Web server's SQL Server using TCP/IP. If the service isn't running on the same box, use nmap to scan the Web server's neighbors for machines that have a SQL Server running on port 1433, with something like: nmap -sT -p 1433 1.2.3.0/24 where 1.2.3 are the first three bytes of the IP address. At 12:13 PM 3/15/01 -0300, Cristiano Lincoln Mattos wrote:
I'm working on a pen-test for a client -- basically, im in a situation where his web app (ASP+SQLServer) does not validate the form inputs, making sql injection possible. What's making this trickier is that the form inputs are parameters to stored procedures that the app uses... and the SELECT calls are inside those procedures. So, i can inject statements into the stored proc call, but not into the select calls inside it, as using 's and the like is not "carried" in to the procedure. An example:
------------------------------------------------ Ted Behling, E-Commerce Consultant Monarch Information Systems, Inc. "Because Every Business Should Be An E-Business" 43 Folly Field Road, Unit 4 Hilton Head Island, SC 29928-5434 Toll-free Phone & Fax: 1-800-842-7894 Local or Outside the USA: 1-843-842-7894 mailto:tbehling () monarchis net http://www.monarchis.net ------------------------------------------------
Current thread:
- [PEN-TEST] sql injection with stored procedures Cristiano Lincoln Mattos (Mar 15)
- Re: [PEN-TEST] sql injection with stored procedures Aaron C. Newman (Mar 15)
- Re: [PEN-TEST] sql injection with stored procedures Ted Behling (Mar 15)
- <Possible follow-ups>
- Re: [PEN-TEST] sql injection with stored procedures Brian Hinken (Mar 15)
- [PEN-TEST] RES: sql injection with stored procedures Cristiano Lincoln Mattos (Mar 20)
- Re: [PEN-TEST] sql injection with stored procedures Sacha Faust (Mar 16)