MS SQL, find list of tables
From: Cedric Foll (cedric.foll_at_ac-rouen.fr)
Date: 09/26/05
- Previous message: Miguel Dilaj: "Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords""
- Next in thread: Cedric Foll: "Re: MS SQL, find list of tables"
- Reply: Cedric Foll: "Re: MS SQL, find list of tables"
- Reply: Ofer Maor: "RE: MS SQL, find list of tables"
- Maybe reply: BHAI JAINUDDINBHAI, TRUNKWALA KUTBUDDIN (TRUNKWALA KUTBUDDIN)** CTR **: "RE: MS SQL, find list of tables"
- Reply: Jon DeShirley: "Re: MS SQL, find list of tables"
- Reply: Bernhard Mueller: "Re: MS SQL, find list of tables"
- Maybe reply: Velasco Herrero, Jose Antonio: "RE: MS SQL, find list of tables"
- Maybe reply: LAROUCHE Francois: "RE: MS SQL, find list of tables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Sep 2005 16:00:48 +0200 To: pen-test@securityfocus.com
Hi,
I'm doing a pen test on a IIS/MS SQL box and find a SQL Injection on it
which permit to execute some SQL command on it.
In fact I have a "select" where I can inject an "UNION something".
I'd like to use that in order to get login/passwd in the database.
I can do:
<somethin.asp?page=contact' UNION SELECT * FROM users WHERE '1'='1>
But the table users doesn't exist and I failed to guess an existing
table name :(.
I've tried:
<something.asp?page=contact' UNION SELECT * FROM MSysObjects'>
but I get
---- Microsoft OLE DB Provider for ODBC Drivers error '80040e09' [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot be read; no read permission on 'MSysObjects'. ---- Someone has an idea ???? Regards -- Cedric Foll Ingénieur Sécurité & Réseaux Division Informatique, Rectorat de Rouen "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk." Bruce Schneier ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
- Previous message: Miguel Dilaj: "Password "security" - was"Passwords with Lan Manager (LM) under Windows" and "Whitespace in passwords""
- Next in thread: Cedric Foll: "Re: MS SQL, find list of tables"
- Reply: Cedric Foll: "Re: MS SQL, find list of tables"
- Reply: Ofer Maor: "RE: MS SQL, find list of tables"
- Maybe reply: BHAI JAINUDDINBHAI, TRUNKWALA KUTBUDDIN (TRUNKWALA KUTBUDDIN)** CTR **: "RE: MS SQL, find list of tables"
- Reply: Jon DeShirley: "Re: MS SQL, find list of tables"
- Reply: Bernhard Mueller: "Re: MS SQL, find list of tables"
- Maybe reply: Velasco Herrero, Jose Antonio: "RE: MS SQL, find list of tables"
- Maybe reply: LAROUCHE Francois: "RE: MS SQL, find list of tables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
