SQL injection from within a table - is it possible?

From: Peter Bair (peterbair100_at_hotmail.com)
Date: 01/07/05

  • Next message: Frederic Charpentier: "Re: Penetration Testing a CheckPoint NG FW on Nokia" 
    Date: 7 Jan 2005 00:59:44 -0000
To: pen-test@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Is it possible to store an SQL injection string into a MSSQL database table, so when the database performs an action like through a stored proc, the SQL injection attack takes place?

    Not through the normal means of SQL injection via a web base means, but if you have the means of storing the data into the table directly.

    Example:
    An application has a users name in a table. Is it possible to assign the users name as the SQL injection string, something like
       name from table; exec master.xp_cmdshell "ping me"; --

    so when the database is running a stored procedure with a select clause like

       select name from table

    it really is becomes

    select name from table; exec master.xp_cmdshell "ping me" ;-- from table

    Of course using the SQL query analyzer on the database table, all this works ok.

    But when I insert the SQL injection string into the table, as the name, and then query the table nothing happens.

    Is it possible or have I missed the point here?

    Thanks Peter.

  • Next message: Frederic Charpentier: "Re: Penetration Testing a CheckPoint NG FW on Nokia"

    Relevant Pages

    • Re: submitted data not updated promptly with ms access
      ... therefore, before writing to the database, i ... using sql injection ... Using an expensive recordset to run a query that does not retrieve ... is what I suspect you want to do, although I don't really know why you wish ...
      (microsoft.public.inetserver.asp.db)
    • Re: Executing PHP files on remote web server
      ... The syntax may be different between programming languages and database engines, but the concept of avoiding SQL injections isn't that different. ... SQL injection from a DBA's perspective is completely different from that of a programmer. ... Quite frankly, while you have good experience in database administration and Unix administration, I see virtually nothing in this which provides the necessary experience for programming. ...
      (comp.lang.php)
    • RE: SQL injection from within a table - is it possible?
      ... I would assume that all parsers would parse the /entire/ sql query ... Suppose your username was "bob", ... Going back to your initial question about a "stored" SQL Injection ... Is it possible to store an SQL injection string into a MSSQL database ...
      (Pen-Test)
    • Re: Executing PHP files on remote web server
      ... The syntax may be different between programming languages and database engines, but the concept of avoiding SQL injections isn't that different. ... SQL injection from a DBA's perspective is completely different from that of a programmer. ... Quite frankly, while you have good experience in database administration and Unix administration, I see virtually nothing in this which provides the necessary experience for programming. ...
      (comp.lang.php)
    • Re: Executing PHP files on remote web server
      ... because you're not familiar with things like SQL injection and other ... may be different between programming languages and database engines, ... Unix administration has NOTHING to do with any of this. ... the necessary experience for programming. ...
      (comp.lang.php)