Penetration Testing mailing list archives
Re: SQL Injection- Bypassing magic_quotes
From: Danux <danuxx () gmail com>
Date: Wed, 10 Oct 2007 20:00:21 -0500
Good Leo, but sadly i have already taken those steps, the backend is a SQL Server 2005 so xp_cmdshell and others are disabled. I only want to print a confidential table in order to show up that its important to fix it. I think, the MSSQL connection handler is executed by the first mod.php query so when trying to execute the second one it says the handlers is already used, so ... i need a way to execute a second query through the first one... with union or something like that or as Geoff said, a way to stop executing the first query(mod.php) so that the connection handler is not used and can execute the second one of mine (sql injection). What you think? On 10/10/07, Walsh, Leo <Leo_Walsh () jeffersonwells com> wrote:
I would try a couple of things, if you haven't already. 1) If you aren't actually interested in the results that are obtained from the query performed by mod.php then skip it. Your 1=1 selection criteria might be eating up too much time. From the looks of your query string it seems that can you bypass whatever filtering they are doing without using 1=1. 2) Try selecting something much smaller than the entire messages table. This is a table that might be quite large. Try selecting a single row or message where date > somedate (which you may have to convert to a binary value, by the way. If you know another table name then try that. 3) Try using a SQL Injection tool to gain sa access. Depending on the purpose of your investigation gaining sa should be enough to demonstrate a severe vulnerability that should be mitigated immediately. -Leo Walsh, GSNA Jefferson Wells International 816-627-4222 (office) 913-484-8051 (cell) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Danux Sent: Tuesday, October 09, 2007 7:25 PM To: pen-test () securityfocus com Subject: Re: SQL Injection- Bypassing magic_quotes Hi, well, after taking some examples from you (thanks in advance), i am able to bypass single quotes son i can inject something simple as: http://www.site.com/mod.php?id=1%27%20or%201=1-- But now, when trying to print a full table.... with the following injection...: http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20mes sages;-- there is a Warning saying that the Connecction is busy: Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with results for another hstmt, SQL state S1000 in SQLExecDirect in .........mod.php So, i think i need a way to execute the second query (mine) before the one that mod.php executes by itself (mod.php?id=1) What you think? ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ******* Internet Email Confidentiality ******* The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that it is strictly prohibited (a) to disseminate, distribute or copy this communication or any of the information contained in it, or (b) to take any action based on the information in it. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.
-- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SQL Injection- Bypassing magic_quotes Danux (Oct 03)
- Message not available
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 09)
- Message not available
- <Possible follow-ups>
- RE: SQL Injection- Bypassing magic_quotes Andrew Court (Oct 04)
- Re: SQL Injection- Bypassing magic_quotes Jorge Hoya (Oct 05)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 09)
- Re: SQL Injection- Bypassing magic_quotes Jorge Hoya (Oct 05)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 10)
- RE: SQL Injection- Bypassing magic_quotes Walsh, Leo (Oct 11)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 11)
- RE: SQL Injection- Bypassing magic_quotes Gary Oleary-Steele (Oct 12)