Re: MS SQL, find list of tables

From: Jon DeShirley (intrinsic_at_gmail.com)
Date: 09/28/05

  • Next message: Josh Perrymon: "RE: oracle VA/PT" 
    Date: Tue, 27 Sep 2005 20:25:52 -0700
To: Cedric Foll <cedric.foll@ac-rouen.fr>

    On 9/26/05, Cedric Foll <cedric.foll@ac-rouen.fr> wrote:

    > In fact I have a "select" where I can inject an "UNION something".
    > I'd like to use that in order to get login/passwd in the database.
    >
    > I can do:
    > <somethin.asp?page=contact' UNION SELECT * FROM users WHERE '1'='1>
    > But the table users doesn't exist and I failed to guess an existing
    > table name :(.

    You can try 'UNION ALL SELECT * FROM master.dbo.sysusers', which
    should probably work. Crack the password hashes offline with the
    tools available online (check NGSS). I assume you've already checked
    if sa has a blank password.

    If you want to dig deeper into the database, you can try scraping
    master.dbo.syscomments' text column for passwords or more dbo objects.
    If they're using stored procedures for anything, which I doubt, that
    might net you a password in the clear or another injection vector .
    For the column names and other system tables, refer to this page:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sys-u_76ur.asp

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------

  • Next message: Josh Perrymon: "RE: oracle VA/PT"

    Relevant Pages

    • RE: 3rd party vuln assesment firms
      ... > "We use the same tools hackers bring to bear against your systems. ... >> I'm looking for a firm to conduct annual 3rd party vulnerability ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)
    • RE: 3rd party vuln assesment firms
      ... > "We use the same tools hackers bring to bear against your systems. ... >> I'm looking for a firm to conduct annual 3rd party vulnerability ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)
    • RE: Penetration test of 1 IP address
      ... Before I do anything very intrusive I personally go to the website ... Also remember once you have found a vulnerability, ... Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping ...
      (Pen-Test)
    • Re: Whitespace in passwords
      ... input password is alphanumeric + special characters -- chances are strong ... >> Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)
    • Re: Qualys
      ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)