Re: SQL Injection- Bypassing magic_quotes

[Danux <danuxx () gmail com>]

Excellent Gary, the SQL Version was printed,

Because i was trying to execute:
' union select @@version,1,1,1-- (url encoded obviously).

But without success..!!

Well, let me check your excellent tool and thanks for that, but i
think the problem and issue of the thread is about single quotes so,
if i try to use the WHERE CLAUSE it will be filtered by the PHP app.

On 10/11/07, Gary Oleary-Steele <garyo () sec-1 com> wrote:
> Sorry, I haven't read the thread. However If you want to extract data
> from a table I use the following syntax.
>
> %27or%201%20in%20(SQL HERE)--
>
> Note: I actually use more complex syntax to get round some data type
> issues.
>
> Don't terminate the query (i.e. don't use semi colons) and you most
> probably wont be able to select more than one result at a time. You
> could try my script to do it for you;
>
> Http://www.sec-1labs.co.uk/tools/sasi.zip
>
> Or try something like bobcat or one of the other SQL injection tools out
> there.
>
> To see if its going to work, try this
>
> http://www.site.com/mod.php?id=1%27%20or%201%20in%20(@@Version)--
>
> If that displays the SQL server version within the error then you should
> be away.
>
> But your going to need to select each row and column at a time. For
> example if you were going for a table called users and that table had a
> username and password column. You could do;
>
> http://www.site.com/mod.php?id=1%27%20or%201%20in%20(select%20top%201%20
> username%2b%27%20%27%2bpassword%20from%20users)--
>
> Then you would need to use are where clause to move down the table.
>
> Sorry if I've missed something, I haven't read the thread (in a rush)
>
> Thanks
> Gary
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Danux
> Sent: 11 October 2007 02:00
> To: pen-test () securityfocus com
> Subject: Re: SQL Injection- Bypassing magic_quotes
>
> Good Leo, but sadly i have already taken those steps, the backend is a
> SQL Server 2005 so xp_cmdshell and others are disabled.  I only want
> to print a confidential table in order to show up that its important
> to fix it.
>
> I think, the MSSQL connection handler is executed by the first mod.php
> query so when trying to execute the second one it says the handlers is
> already used, so ... i need a way to execute a second query through
> the first one... with union or something like that or as Geoff said, a
> way to stop executing the first query(mod.php) so that the connection
> handler is not used and can execute the second one of mine (sql
> injection).
>
> What you think?
>
> On 10/10/07, Walsh, Leo <Leo_Walsh () jeffersonwells com> wrote:
> > I would try a couple of things, if you haven't already.
> >
> > 1) If you aren't actually interested in the results that are obtained
> > from the query performed by mod.php then skip it. Your 1=1 selection
> > criteria might be eating up too much time. From the looks of your
> query
> > string it seems that can you bypass whatever filtering they are doing
> > without using 1=1.
> >
> > 2) Try selecting something much smaller than the entire messages
> table.
> > This is a table that might be quite large. Try selecting a single row
> or
> > message where date > somedate (which you may have to convert to a
> binary
> > value, by the way. If you know another table name then try that.
> >
> > 3) Try using a SQL Injection tool to gain sa access. Depending on the
> > purpose of your investigation gaining sa should be enough to
> demonstrate
> > a severe vulnerability that should be mitigated immediately.
> >
> >
> > -Leo Walsh, GSNA
> > Jefferson Wells International
> > 816-627-4222 (office)
> > 913-484-8051 (cell)
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]
> > On Behalf Of Danux
> > Sent: Tuesday, October 09, 2007 7:25 PM
> > To: pen-test () securityfocus com
> > Subject: Re: SQL Injection- Bypassing magic_quotes
> >
> > Hi, well, after taking some examples from you (thanks in advance), i
> am
> > able to bypass single quotes son i can inject something simple as:
> >
> > http://www.site.com/mod.php?id=1%27%20or%201=1--
> >
> > But now, when trying to print a full table.... with the following
> > injection...:
> http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20mes
> > sages;--
> >
> > there is a Warning saying that the Connecction is busy:
> >
> >
> > Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC
> > SQL Server Driver]Connection is busy with results for another hstmt,
> SQL
> > state S1000 in SQLExecDirect in .........mod.php
> >
> > So, i think i need a way to execute the second query (mine) before the
> > one that mod.php executes by itself (mod.php?id=1)
> >
> > What you think?
> ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
> > ******* Internet Email Confidentiality ******* The information
> > contained in this message may be privileged and confidential and
> > protected from disclosure. If the reader of this message is not the
> > intended recipient, or an employee or agent responsible for
> > delivering this message to the intended recipient, you are hereby
> > notified that it is strictly prohibited (a) to disseminate,
> > distribute or copy this communication or any of the information
> > contained in it, or (b) to take any action based on the information
> > in it. If you have received this communication in error, please
> > notify us immediately by replying to the message and deleting it
> > from your computer.
>
>
> --
> Danux, CISSP
> Chief Information Security Officer
> Macula Security Consulting Group
> www.macula-group.com
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>
> Sec-1 specialises in the provision of network security solutions.
> For more information on products and services we offer visit
> www.sec-1.com
> or call
> 0113 257 8955.


-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------