RE: SQL

From: Javier Fernández-Sanguino (jfernandez@germinus.com)
Date: 11/23/01 

Subject: RE: SQL
Date: Fri, 23 Nov 2001 10:15:17 +0100
Message-ID: <D862800CA540B6488E6D55B3677A0E8E1B632B@mailserver>
From: Javier Fernández-Sanguino <jfernandez@germinus.com>
To: "Andy Miller" <Andy.Miller@insight.co.uk>, <garyo@sec-1.com>, <PEN-TEST@securityfocus.com>

>
> Don't you need the returned recordset to be written to the
> html stream in
> order to see anything useful? For instance if you are just
> looking at a
> login page you may not get any joy with appending extra
> SELECTs? We have
> just been playing with exactly this!
>

        Not really, it depends on the system configuration. If you can
(and you quite probably can) run 'exec master.xp_cmdshell' you can have
the queries directed to files in the Web server (if you know its
location) and retrieve them from there. You can even (check the stored
procedures for SQL Server) send you mails with the results of the
queries or with execution results! (I did this once and was kind of fun)

        So, even if not shown inline that does not mean you cannot
retrieve any information, but you have to use alternative ways which
will work (or not) depending on the system's configuration and the
access to the permiter.

        One easyway to determine if you are effectively executing code
is doing incremental tests:

1.- test with '
        ODBC error
2.- test with '--
        error? (depends on query)
3.- test with ',...fillin data.. ) --
        error?
(keep going until you get no errors, this, of course, is easier if you
know the code beforehand, there are many ISS vulns which will get you to
it...)
4.- test with ', ...data... ; select * from asdfadfas --
        Probable error since the table 'asdfadfas' does not exist
5.- test with ', ...data... ; select * from AVALIDSQLTABLE --
        No error since that table (take a look at default tables for SQL
server) does exist.
6.- test with ', .... data... ; exec master..xp_cmdshell 'dir',no_output 

--
	No error? Then you are executing code. Check the error (if there
is one) since it might say that the user running the query cannot
execute stored procedures...

	Do you get the idea?

	Javi

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: SQL
    ... Subject: SQL ... statement being executed in the ISS server ... > This list is provided by the SecurityFocus Security ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: SQL INJECTION IN Coldfusion
    ... You must use UNION ALL to get all the rows. ... Manipulating MS Sql Server using sql injection. ... For more information on SecurityFocus' SIA ...
    (Pen-Test)
  • Re: Isolation levels
    ... use snapshot isolation, but I'm interested how things *should* work ... terms of statement execution. ... Sybase SQL Anywhere operates similar to Microsoft Sql Server. ...
    (comp.databases.theory)
  • 2000 vs 2005 performance issue
    ... I have a performance issue occurred during migration from 2000 to 2005 ... SQL Server. ... The execution ...
    (microsoft.public.sqlserver)
  • Re: DBParameter vs. direkter Angabe im SQL-Statement
    ... SQL Server 2005 hat "auto-parameterized queries". ... Dann ersetzt der SQL Server alle Konstanten durch Variable ... ... erstellt seinen Execution Plan und kann dann bei den Queries ... ...
    (microsoft.public.de.german.entwickler.dotnet.datenbank)