RE: SQL Injection- Bypassing magic_quotes

["Walsh, Leo" <Leo_Walsh () jeffersonwells com>]

I think UNION requires columns of the same type. Do you have that type
of information? Do you happen to know (or can guess) what query is being
executed by mod.php? If you could share the query string you are using
to bypass magic_quotes and the results you get I might have some more
concrete ideas.

In raw SQL you can add a query at the WHERE level but it may be useless
to you. A very simple example that probably won't return the results you
want but you may catch my drift:

Select * from app_users
Where user id = 1 OR message in (select * from messages)

-Leo Walsh, GSNA
Jefferson Wells International
816-627-4222 (office)
913-484-8051 (cell)

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Danux
Sent: Wednesday, October 10, 2007 8:00 PM
To: pen-test () securityfocus com
Subject: Re: SQL Injection- Bypassing magic_quotes

Good Leo, but sadly i have already taken those steps, the backend is a
SQL Server 2005 so xp_cmdshell and others are disabled.  I only want to
print a confidential table in order to show up that its important to fix
it.

I think, the MSSQL connection handler is executed by the first mod.php
query so when trying to execute the second one it says the handlers is
already used, so ... i need a way to execute a second query through the
first one... with union or something like that or as Geoff said, a way
to stop executing the first query(mod.php) so that the connection
handler is not used and can execute the second one of mine (sql
injection).

What you think?

On 10/10/07, Walsh, Leo <Leo_Walsh () jeffersonwells com> wrote:
> I would try a couple of things, if you haven't already.
>
> 1) If you aren't actually interested in the results that are obtained 
> from the query performed by mod.php then skip it. Your 1=1 selection 
> criteria might be eating up too much time. From the looks of your 
> query string it seems that can you bypass whatever filtering they are 
> doing without using 1=1.
>
> 2) Try selecting something much smaller than the entire messages
table.
> This is a table that might be quite large. Try selecting a single row 
> or message where date > somedate (which you may have to convert to a 
> binary value, by the way. If you know another table name then try
that.
> 3) Try using a SQL Injection tool to gain sa access. Depending on the 
> purpose of your investigation gaining sa should be enough to 
> demonstrate a severe vulnerability that should be mitigated
immediately.
> -Leo Walsh, GSNA
> Jefferson Wells International
> 816-627-4222 (office)
> 913-484-8051 (cell)
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com]
> On Behalf Of Danux
> Sent: Tuesday, October 09, 2007 7:25 PM
> To: pen-test () securityfocus com
> Subject: Re: SQL Injection- Bypassing magic_quotes
>
> Hi, well, after taking some examples from you (thanks in advance), i 
> am able to bypass single quotes son i can inject something simple as:
>
> http://www.site.com/mod.php?id=1%27%20or%201=1--
>
> But now, when trying to print a full table.... with the following
> injection...:
>
>
> http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20m
> es
> sages;--
>
> there is a Warning saying that the Connecction is busy:
>
>
> Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC

> SQL Server Driver]Connection is busy with results for another hstmt, 
> SQL state S1000 in SQLExecDirect in .........mod.php
>
> So, i think i need a way to execute the second query (mine) before the

> one that mod.php executes by itself (mod.php?id=1)
>
> What you think?
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ----------------------------------------------------------------------
> --
>
>
>
> ******* Internet Email Confidentiality ******* The information 
> contained in this message may be privileged and confidential and 
> protected from disclosure. If the reader of this message is not the 
> intended recipient, or an employee or agent responsible for delivering

> this message to the intended recipient, you are hereby notified that 
> it is strictly prohibited (a) to disseminate, distribute or copy this 
> communication or any of the information contained in it, or (b) to 
> take any action based on the information in it. If you have received 
> this communication in error, please notify us immediately by replying 
> to the message and deleting it from your computer.


--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------