Penetration Testing mailing list archives
Re: SQL Injection- Bypassing magic_quotes
From: Danux <danuxx () gmail com>
Date: Thu, 11 Oct 2007 12:32:29 -0500
Excellent Gary, the SQL Version was printed, Because i was trying to execute: ' union select @@version,1,1,1-- (url encoded obviously). But without success..!! Well, let me check your excellent tool and thanks for that, but i think the problem and issue of the thread is about single quotes so, if i try to use the WHERE CLAUSE it will be filtered by the PHP app. On 10/11/07, Gary Oleary-Steele <garyo () sec-1 com> wrote:
Sorry, I haven't read the thread. However If you want to extract data from a table I use the following syntax. %27or%201%20in%20(SQL HERE)-- Note: I actually use more complex syntax to get round some data type issues. Don't terminate the query (i.e. don't use semi colons) and you most probably wont be able to select more than one result at a time. You could try my script to do it for you; Http://www.sec-1labs.co.uk/tools/sasi.zip Or try something like bobcat or one of the other SQL injection tools out there. To see if its going to work, try this http://www.site.com/mod.php?id=1%27%20or%201%20in%20(@@Version)-- If that displays the SQL server version within the error then you should be away. But your going to need to select each row and column at a time. For example if you were going for a table called users and that table had a username and password column. You could do; http://www.site.com/mod.php?id=1%27%20or%201%20in%20(select%20top%201%20 username%2b%27%20%27%2bpassword%20from%20users)-- Then you would need to use are where clause to move down the table. Sorry if I've missed something, I haven't read the thread (in a rush) Thanks Gary -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Danux Sent: 11 October 2007 02:00 To: pen-test () securityfocus com Subject: Re: SQL Injection- Bypassing magic_quotes Good Leo, but sadly i have already taken those steps, the backend is a SQL Server 2005 so xp_cmdshell and others are disabled. I only want to print a confidential table in order to show up that its important to fix it. I think, the MSSQL connection handler is executed by the first mod.php query so when trying to execute the second one it says the handlers is already used, so ... i need a way to execute a second query through the first one... with union or something like that or as Geoff said, a way to stop executing the first query(mod.php) so that the connection handler is not used and can execute the second one of mine (sql injection). What you think? On 10/10/07, Walsh, Leo <Leo_Walsh () jeffersonwells com> wrote:I would try a couple of things, if you haven't already. 1) If you aren't actually interested in the results that are obtained from the query performed by mod.php then skip it. Your 1=1 selection criteria might be eating up too much time. From the looks of yourquerystring it seems that can you bypass whatever filtering they are doing without using 1=1. 2) Try selecting something much smaller than the entire messagestable.This is a table that might be quite large. Try selecting a single rowormessage where date > somedate (which you may have to convert to abinaryvalue, by the way. If you know another table name then try that. 3) Try using a SQL Injection tool to gain sa access. Depending on the purpose of your investigation gaining sa should be enough todemonstratea severe vulnerability that should be mitigated immediately. -Leo Walsh, GSNA Jefferson Wells International 816-627-4222 (office) 913-484-8051 (cell) -----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com]On Behalf Of Danux Sent: Tuesday, October 09, 2007 7:25 PM To: pen-test () securityfocus com Subject: Re: SQL Injection- Bypassing magic_quotes Hi, well, after taking some examples from you (thanks in advance), iamable to bypass single quotes son i can inject something simple as: http://www.site.com/mod.php?id=1%27%20or%201=1-- But now, when trying to print a full table.... with the following injection...:http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20messages;-- there is a Warning saying that the Connecction is busy: Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with results for another hstmt,SQLstate S1000 in SQLExecDirect in .........mod.php So, i think i need a way to execute the second query (mine) before the one that mod.php executes by itself (mod.php?id=1) What you think?------------------------------------------------------------------------This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads------------------------------------------------------------------------******* Internet Email Confidentiality ******* The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that it is strictly prohibited (a) to disseminate, distribute or copy this communication or any of the information contained in it, or (b) to take any action based on the information in it. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.-- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ Sec-1 specialises in the provision of network security solutions. For more information on products and services we offer visit www.sec-1.com or call 0113 257 8955.
-- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SQL Injection- Bypassing magic_quotes Danux (Oct 03)
- Message not available
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 09)
- Message not available
- <Possible follow-ups>
- RE: SQL Injection- Bypassing magic_quotes Andrew Court (Oct 04)
- Re: SQL Injection- Bypassing magic_quotes Jorge Hoya (Oct 05)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 09)
- Re: SQL Injection- Bypassing magic_quotes Jorge Hoya (Oct 05)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 10)
- RE: SQL Injection- Bypassing magic_quotes Walsh, Leo (Oct 11)
- Re: SQL Injection- Bypassing magic_quotes Danux (Oct 11)
- RE: SQL Injection- Bypassing magic_quotes Gary Oleary-Steele (Oct 12)