Re: SQL Injection - retrieving all rows

["Kirk Schafer" <jogglie () excite com>]

Mel -

I was going to post code, but I figure I don't really know what you're doing so I'll just be helpful enough to tell you 
to figure it out. Besides, I don't know what you're using.

Since I haven't seen any other posts, I'm going to speak from what I have access to - MS SQL Server. This isn't the 
only way, but I guarantee it works. Injection: Declare some variables, set a seed (recnum?) variable, then loop until 
the seed comes up NULL (or some other stop). Inside the loop, select the next seed value, and also the 
username/password pairs. Append them to a declared variable with embedded characters (such as tabs). Pay attention to 
max string lengths - you may have to make several queries to get all the way through. At the very end, select the 
"concatenation variable" as your one select line and you have everything you need in one concatenated/delimited string. 
Parse this in your output routine, and you're done.

Of course, since you're injecting fairly complicated script, and you may truncate your injection, why not just keep all 
of your variables outside, where you have more control, and seed a single ASP injection from there (select top 1 * ... 
where name/recnum > injectvalue)...then update your seed and have another go? I know this is exactly what you said 
you'd rather avoid doing, but neither approach (being essentially identical) should take more than 30 minutes, given an 
angelic setup. The best thing is, it's reusable if you write it right. I don't know how you feel about this, because 
I'm not exactly a pen-tester, but I sure know how to get into things, and sure don't think this should present you too 
much of a challenge. Since your problem might be related to CR/LF's in the output, scripting it is probably 
faster-to-market than poking around for that magic bullet. Unless, of course, someone has one sitting around somewhere.

Cheers,
Kirk


---- Original Message ----
From:           mel
Date:           Wed 3/20/02 13:52
To:             pen-test () securityfocus com
Subject:        SQL Injection - retrieving all rows

Hi,

I've been able to enumerate over 50 plus tables in a recent pen-test,
now come the hard part - I want to dump data from the most important
table that contains user names and passwords. However, the ASP app
that I exploit only returns one row at a time. Is there anyway to 
overcome this? 

I've been looking for apps that return multiple rows (such as search,etc)
but to know avail. I've tried dumping asp codes using BULK INSERT, but
the command is only available for system account. Creating an stored
procedure does not seem to work as well :(

Now, I'm thinking of writing a script that dump the data one at a time, 
but I would like the advice from fellow pen-testers first.

Cheers,

--mel

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/