Penetration Testing mailing list archives
Re: Blind SQL Injection Techniques
From: Paulo Ribeiro <lopolo_fr () yahoo fr>
Date: Wed, 13 Dec 2006 23:02:51 +0000 (GMT)
Hello, Usually, when it's a blind SQL injection, as described, no information can easily be retrieved, if at all. A few days ago, I had the same problem, so I used the sp_rename stored procedure to rename random table names (dictionnary names like user, content, produt, etc...) ... and it worked for a few... When it worked, the website generated a lot of errors since part of the content was broken. By using the same sp, I could rename the table back to its original name. What I got from it where a few table names, some FS paths... Paul ----- Original Message ---- From: "One2 () onetwo com" <One2 () onetwo com> To: pen-test () securityfocus com Sent: Wednesday, December 13, 2006 8:41:30 AM Subject: Blind SQL Injection Techniques Hi All, I am testing a client at the moment who has a Blind SQL Injection vulnerability and am running out of techniques, so need some tips. I injected the following string to validate that the system has an MSSQL server at the back-end. or 1=1;select * from sysobjects;-- This returned a valid page. Also injected the following and got a valid page, but again no data since it is completely blind. or 1=1;select @@version;-- Replacing sysobjects, in the first example, with an invalid table returns a custom error page that doesn't disclose anything. It seems that when injecting any invalid sql statement I get the same custom error page coming back that doesn't reveal any information. My next step was to determine whether the DB was running as system. I tried using the following command; or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';-- ... but got the error page, indicating that it didn't work - especially since it didn't take 5 seconds. I then tried simplifying it to just; waitfor delay '0:0:5';-- ... but again, the error page, indicating this command was not working. I thought it was the quotes but the following were successful; or 1=1;select * from 'sysobjects';-- or 1=1;select * from "sysobjects";-- I then tried the following to see if I could actually run system commands; or 1=1;exec master..xp_cmdshell dir;-- ... but this got the error page again indicating unsuccessful. Any suggestions on gaining further information or access on this system would be appreciated. Thanks, One2 ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Blind SQL Injection Techniques One2 (Dec 13)
- Re: Blind SQL Injection Techniques Leonardo Rodrigues (Dec 16)
- RE: Blind SQL Injection Techniques Paul Melson (Dec 16)
- RE: Blind SQL Injection Techniques Gurpreet Singh (Dec 16)
- Re: Blind SQL Injection Techniques Rick Zhong (Dec 19)
- <Possible follow-ups>
- Re: Blind SQL Injection Techniques Paulo Ribeiro (Dec 16)