Penetration Testing mailing list archives

SQL injection from within a table - is it possible?

From: Peter Bair <peterbair100 () hotmail com>
Date: 7 Jan 2005 00:59:44 -0000



Is it possible to store an SQL injection string into a MSSQL database table, so when the database performs an action 
like through a stored proc, the SQL injection attack takes place?

Not through the normal means of SQL injection via a web base means, but if you have the means of storing the data into 
the table directly.

Example:
An application has a users name in a table.  Is it possible to assign the users name as the SQL injection string, 
something like 
   name from table; exec master.xp_cmdshell "ping me"; --

so when the database is running a stored procedure with a  select clause like

   select name from table 

it really is becomes

select name from table; exec master.xp_cmdshell "ping me" ;-- from table


Of course using the SQL query analyzer on the database table, all this works ok.

But when I insert the SQL injection string into the table, as the name, and then query the table nothing happens.

Is it possible or have I missed the point here?

Thanks Peter.

Current thread:

SQL injection from within a table - is it possible? Peter Bair (Jan 06)
- RE: SQL injection from within a table - is it possible? Eyal Udassin (Jan 07)
- Re: SQL injection from within a table - is it possible? Kevin Conaway (Jan 07)
- SQL Injection with DB2 and ASP Frederic Charpentier (Jan 07)
- <Possible follow-ups>
- RE: SQL injection from within a table - is it possible? Kelley, Brian (Jan 07)
- RE: SQL injection from within a table - is it possible? Burnett, Robert (Jan 07)
- RE: SQL injection from within a table - is it possible? Scovetta, Michael V (Jan 07)
- RE: SQL injection from within a table - is it possible? Ofer Shezaf (Jan 07)