Penetration Testing mailing list archives

Re: Blind SQL Injection Techniques

From: Paulo Ribeiro <lopolo_fr () yahoo fr>
Date: Wed, 13 Dec 2006 23:02:51 +0000 (GMT)

Hello,
 
Usually, when it's a blind SQL injection, as described, no information can easily be retrieved, if at all.
A few days ago, I had the same problem, so I used the sp_rename stored procedure to rename random table names 
(dictionnary names like user, content, produt, etc...) ... and it worked for a few...
When it worked, the website  generated a lot of errors since part of the content was broken.  
By using the same sp, I could rename the table back to its original name.
 
What I got from it where a few table names, some FS paths... 
Paul



----- Original Message ---- 
From: "One2 () onetwo com" <One2 () onetwo com> 
To: pen-test () securityfocus com 
Sent: Wednesday, December 13, 2006 8:41:30 AM 
Subject: Blind SQL Injection Techniques 


Hi All, 

I am testing a client at the moment who has a Blind SQL Injection vulnerability and am running out of techniques, so 
need some tips. 

I injected the following string to validate that the system has an MSSQL server at the back-end. 

or 1=1;select * from sysobjects;-- 

This returned a valid page. 

Also injected the following and got a valid page, but again no data since it is completely blind. 

or 1=1;select @@version;-- 

Replacing sysobjects, in the first example, with an invalid table returns a custom error page that doesn't disclose 
anything. 

It seems that when injecting any invalid sql statement I get the same custom error page coming back that doesn't reveal 
any information. 

My next step was to determine whether the DB was running as system. I tried using the following command; 

or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';-- 

... but got the error page, indicating that it didn't work - especially since it didn't take 5 seconds. I then tried 
simplifying it to just; 

waitfor delay '0:0:5';-- 

... but again, the error page, indicating this command was not working. I thought it was the quotes but the following 
were successful; 

or 1=1;select * from 'sysobjects';-- 
or 1=1;select * from "sysobjects";-- 

I then tried the following to see if I could actually run system commands; 

or 1=1;exec master..xp_cmdshell dir;-- 

... but this got the error page again indicating unsuccessful. 

Any suggestions on gaining further information or access on this system would be appreciated. 

Thanks, 
One2 


------------------------------------------------------------------------ 
This List Sponsored by: Cenzic 

Need to secure your web apps? 
Cenzic Hailstorm finds vulnerabilities fast. 
Click the link to buy it, try it or download Hailstorm for FREE. 
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW 
------------------------------------------------------------------------


 
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

Blind SQL Injection Techniques One2 (Dec 13)
- Re: Blind SQL Injection Techniques Leonardo Rodrigues (Dec 16)
- RE: Blind SQL Injection Techniques Paul Melson (Dec 16)
- RE: Blind SQL Injection Techniques Gurpreet Singh (Dec 16)
- Re: Blind SQL Injection Techniques Rick Zhong (Dec 19)
- <Possible follow-ups>
- Re: Blind SQL Injection Techniques Paulo Ribeiro (Dec 16)