Penetration Testing mailing list archives
Blind SQL Injection Techniques
From: One2 () onetwo com
Date: 13 Dec 2006 07:41:30 -0000
Hi All, I am testing a client at the moment who has a Blind SQL Injection vulnerability and am running out of techniques, so need some tips. I injected the following string to validate that the system has an MSSQL server at the back-end. or 1=1;select * from sysobjects;-- This returned a valid page. Also injected the following and got a valid page, but again no data since it is completely blind. or 1=1;select @@version;-- Replacing sysobjects, in the first example, with an invalid table returns a custom error page that doesn't disclose anything. It seems that when injecting any invalid sql statement I get the same custom error page coming back that doesn't reveal any information. My next step was to determine whether the DB was running as system. I tried using the following command; or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';-- ... but got the error page, indicating that it didn't work - especially since it didn't take 5 seconds. I then tried simplifying it to just; waitfor delay '0:0:5';-- ... but again, the error page, indicating this command was not working. I thought it was the quotes but the following were successful; or 1=1;select * from 'sysobjects';-- or 1=1;select * from "sysobjects";-- I then tried the following to see if I could actually run system commands; or 1=1;exec master..xp_cmdshell dir;-- ... but this got the error page again indicating unsuccessful. Any suggestions on gaining further information or access on this system would be appreciated. Thanks, One2 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Blind SQL Injection Techniques One2 (Dec 13)
- Re: Blind SQL Injection Techniques Leonardo Rodrigues (Dec 16)
- RE: Blind SQL Injection Techniques Paul Melson (Dec 16)
- RE: Blind SQL Injection Techniques Gurpreet Singh (Dec 16)
- Re: Blind SQL Injection Techniques Rick Zhong (Dec 19)
- <Possible follow-ups>
- Re: Blind SQL Injection Techniques Paulo Ribeiro (Dec 16)