RE: SQL Injection - retrieving all rows

From: Athanasios Vamvakas (zakmosm@hotmail.com)
Date: 03/21/02

Previous message: Kirk Schafer: "Re: SQL Injection - retrieving all rows"
Maybe in reply to: mel: "SQL Injection - retrieving all rows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Athanasios Vamvakas" <zakmosm@hotmail.com>
To: pen-test@securityfocus.com
Date: Thu, 21 Mar 2002 21:00:06 +0200

Hello friends,

If you can GET responses from a SQL database just invoke the ASP page many
times and record the data.
This will work as long as they don't keep connection information e.g. in
their Global.asa file.
If this happens you must be careful to release connections so you don't
overcome their conn limit.
I guess it is a trade-off but you can prove the point to them. Even if you
can get hold of one Uname-Pass that will scare their pants off.

Good Luck.

P.S. It is always nice to see RHBNC graduates Zacharia.

T.V.

>From: "Zacharias Pigadas" <zpig@space.gr>
>To: "mel" <meling@scan-associates.net>
>CC: <pen-test@securityfocus.com>
>Subject: RE: SQL Injection - retrieving all rows
>Date: Thu, 21 Mar 2002 09:04:18 +0200
>
>Hello,
>
>I will have to disappoint you but in that case you have to run multiple
>queries as follows:
>
>Suppose this is your SQL injection string:
>SELECT field1, field2 FROM table where 1=1 : This will return you the first
>row in the table say value1, value2
>
>Second query will be something like that:
>
>SELECT field1, field2 FROM table where 1=1 AND (((field1 NOT IN (value1))
>AND (field2 NOT IN (value2))): This will return you the second row in the
>table say value21, value22
>
>third query:
>SELECT field1, field2 FROM table where 1=1 AND (((field1 NOT IN
>(value1,value21)) AND (field2 NOT IN (value2,value22))): This will return
>you the second row in the table say value31, value32
>
>Well you get the idea....
>
>This can be scripted...
>
>
>Zach
>
>
>
>
>
> > -----Original Message-----
> > From: mel [mailto:meling@scan-associates.net]
> > Sent: Wednesday, March 20, 2002 1:25 PM
> > To: pen-test@securityfocus.com
> > Subject: SQL Injection - retrieving all rows
> >
> >
> > Hi,
> >
> > I've been able to enumerate over 50 plus tables in a recent pen-test,
> > now come the hard part - I want to dump data from the most important
> > table that contains user names and passwords. However, the ASP app
> > that I exploit only returns one row at a time. Is there anyway to
> > overcome this?
> >
> > I've been looking for apps that return multiple rows (such as
>search,etc)
> > but to know avail. I've tried dumping asp codes using BULK INSERT, but
> > the command is only available for system account. Creating an stored
> > procedure does not seem to work as well :(
> >
> > Now, I'm thinking of writing a script that dump the data one at a time,
> > but I would like the advice from fellow pen-testers first.
> >
> > Cheers,
> >
> > --mel
> >
> > ------------------------------------------------------------------
> > ----------
> > This list is provided by the SecurityFocus Security Intelligence
> > Alert (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities
> > please see:
> > https://alerts.securityfocus.com/
> >
> >
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert
>(SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
>

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Previous message: Kirk Schafer: "Re: SQL Injection - retrieving all rows"
Maybe in reply to: mel: "SQL Injection - retrieving all rows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Password HTML form bruteforce
... print Positive Authentication with Login: ACCOUNT, ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ...
(Pen-Test)
Re: Problems on the DOS-Prompt
... >Is there a list of all availible commands that can be used on nt and 2k ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... >>> automatically alerts you to the latest security vulnerabilities ...
(Pen-Test)
RE: How to aggregate output of NMAP
... > This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ...
(Pen-Test)
RE: SQL Injection - retrieving all rows
... Suppose this is your SQL injection string: ... > This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ...
(Pen-Test)
Re: Training Lab Question
... User Mode Linux might be a good alternative to VMWare, ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... > automatically alerts you to the latest security vulnerabilities please see: ...
(Pen-Test)