RE: Blind SQL Injection / Stored procedures

["LAROUCHE Francois" <Francois.Larouche () accorservices com>]

Hola Andres,

> The problem is that, despite I was able to enumerate tables and columns
> (through base..syscolumns) I am not able to access any data of those
> tables.

I'm not sure what you mean by base..syscolumns as far as I am concerned it shouldn't work unless your database is 
called "base", is that so?

But in any cases, your assumption might be right about the fact that the web site discusses with the SQL server with 
stored proc. Usually what I do to see if it's the case is to try to insert a union select 1-- and look at the reaction. 
Normally if it's a stored proc, it will not like it. But again it's hard to explain it directly here, one must look at 
it and test it by himself.

So the first step to see if it's a question of rights is to look at the current user with "user". If you get back dbo, 
it means you have something wrong with your SQL statement.

> Then my problem is how can I use an stored procedure to get some data? I
> think I am able to run, but how can I do to get its results?

Now to answer your question about how to display results from a stored proc, the solution will depend if you can get 
information back or not. Considering you called your title "Blind SQL injection / Stored procedures" I would guess that 
you used that technique to succeed to get the data. If so, well I suppose you can still use my technique but it's going 
to be a long and tedious work.

So here is how I do it.

Normally every user has the rights on Pubs and Northwind database if they are still on the server that is (almost 100% 
of the times). So you can create a table there, then insert the results of the stored proc you want to use in this 
table and go read them either blindly or from the output on the web page.

Here is an example:

TRUNCATE table pubs.dbo.tmp; INSERT INTO pubs.dbo.tmp (res) EXEC MyDB..TheStoredProc

Tmp: being my created table
MyDB: being the database I want to use the stored procs
TheStoredProc: being the stored proc I want to execute
(res): is a field that is nvarchar(4000) containing my result

I truncate the table to remove previous data first

Of course, you will need to create fields in the tmp table depending of the number of your stored proc's outputs you 
have. As I said, it's tedious but I think it's the only way to display results from a stored proc. You can most 
definitely not use a union with one, I've searched and searched... (Please tell me if I'm wrong I'd love to know...)

François Larouche

______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with it (herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this message by any other person is not 
permitted.
If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized 
disclosure,
publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is 
strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this
message if modified or falsified.