RE: SQL injection from within a table - is it possible?

["Eyal Udassin" <eyal () swiftcoders com>]

Hello Peter,

> From what I understood from your post, you would like to execute your code
each time a SELECT is performed on a specific table.
This cannot be achieved in the manner you described, allow me to offer a
more straight forward approach.

Use the web page vulnerable to SQL injection to add a trigger containing
your code (ex. Ping your host) which will be triggered upon
select/update/insert any table you wish.
You should probably visit MSDN for the exact trigger syntax.

Good luck,

Eyal Udassin - Swift Coders
POB 1596 Ramat Hasharon, 47114
972+547-684989
eyal () swiftcoders com

-----Original Message-----
From: Peter Bair [mailto:peterbair100 () hotmail com] 
Sent: Friday, January 07, 2005 3:00 AM
To: pen-test () securityfocus com
Subject: SQL injection from within a table - is it possible?




Is it possible to store an SQL injection string into a MSSQL database table,
so when the database performs an action like through a stored proc, the SQL
injection attack takes place?

Not through the normal means of SQL injection via a web base means, but if
you have the means of storing the data into the table directly.

Example:
An application has a users name in a table.  Is it possible to assign the
users name as the SQL injection string, something like 
   name from table; exec master.xp_cmdshell "ping me"; --

so when the database is running a stored procedure with a  select clause
like

   select name from table 

it really is becomes

select name from table; exec master.xp_cmdshell "ping me" ;-- from table


Of course using the SQL query analyzer on the database table, all this works
ok.

But when I insert the SQL injection string into the table, as the name, and
then query the table nothing happens.

Is it possible or have I missed the point here?

Thanks Peter.