Re: SQL Injection- Bypassing magic_quotes

[Danux <danuxx () gmail com>]

Good Leo, but sadly i have already taken those steps, the backend is a
SQL Server 2005 so xp_cmdshell and others are disabled.  I only want
to print a confidential table in order to show up that its important
to fix it.

I think, the MSSQL connection handler is executed by the first mod.php
query so when trying to execute the second one it says the handlers is
already used, so ... i need a way to execute a second query through
the first one... with union or something like that or as Geoff said, a
way to stop executing the first query(mod.php) so that the connection
handler is not used and can execute the second one of mine (sql
injection).

What you think?

On 10/10/07, Walsh, Leo <Leo_Walsh () jeffersonwells com> wrote:
> I would try a couple of things, if you haven't already.
>
> 1) If you aren't actually interested in the results that are obtained
> from the query performed by mod.php then skip it. Your 1=1 selection
> criteria might be eating up too much time. From the looks of your query
> string it seems that can you bypass whatever filtering they are doing
> without using 1=1.
>
> 2) Try selecting something much smaller than the entire messages table.
> This is a table that might be quite large. Try selecting a single row or
> message where date > somedate (which you may have to convert to a binary
> value, by the way. If you know another table name then try that.
>
> 3) Try using a SQL Injection tool to gain sa access. Depending on the
> purpose of your investigation gaining sa should be enough to demonstrate
> a severe vulnerability that should be mitigated immediately.
>
>
> -Leo Walsh, GSNA
> Jefferson Wells International
> 816-627-4222 (office)
> 913-484-8051 (cell)
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Danux
> Sent: Tuesday, October 09, 2007 7:25 PM
> To: pen-test () securityfocus com
> Subject: Re: SQL Injection- Bypassing magic_quotes
>
> Hi, well, after taking some examples from you (thanks in advance), i am
> able to bypass single quotes son i can inject something simple as:
>
> http://www.site.com/mod.php?id=1%27%20or%201=1--
>
> But now, when trying to print a full table.... with the following
> injection...:
>
>
> http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20mes
> sages;--
>
> there is a Warning saying that the Connecction is busy:
>
>
> Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC
> SQL Server Driver]Connection is busy with results for another hstmt, SQL
> state S1000 in SQLExecDirect in .........mod.php
>
> So, i think i need a way to execute the second query (mine) before the
> one that mod.php executes by itself (mod.php?id=1)
>
> What you think?
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>
> ******* Internet Email Confidentiality ******* The information
> contained in this message may be privileged and confidential and
> protected from disclosure. If the reader of this message is not the
> intended recipient, or an employee or agent responsible for
> delivering this message to the intended recipient, you are hereby
> notified that it is strictly prohibited (a) to disseminate,
> distribute or copy this communication or any of the information
> contained in it, or (b) to take any action based on the information
> in it. If you have received this communication in error, please
> notify us immediately by replying to the message and deleting it
> from your computer.


-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------