Blind SQL Injection Techniques

[One2 () onetwo com]

Hi All,

I am testing a client at the moment who has a Blind SQL Injection vulnerability and am running out of techniques, so 
need some tips.

I injected the following string to validate that the system has an MSSQL server at the back-end.

 or 1=1;select * from sysobjects;--

This returned a valid page.

Also injected the following and got a valid page, but again no data since it is completely blind.

 or 1=1;select @@version;--

Replacing sysobjects, in the first example, with an invalid table returns a custom error page that doesn't disclose 
anything.

It seems that when injecting any invalid sql statement I get the same custom error page coming back that doesn't reveal 
any information.

My next step was to determine whether the DB was running as system. I tried using the following command;

 or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';--

... but got the error page, indicating that it didn't work - especially since it didn't take 5 seconds. I then tried 
simplifying it to just;

 waitfor delay '0:0:5';--

... but again, the error page, indicating this command was not working. I thought it was the quotes but the following 
were successful;

 or 1=1;select * from 'sysobjects';--
 or 1=1;select * from "sysobjects";--

I then tried the following to see if I could actually run system commands;

 or 1=1;exec master..xp_cmdshell dir;--

... but this got the error page again indicating unsuccessful.

Any suggestions on gaining further information or access on this system would be appreciated.

Thanks,
One2


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------