Re: SQL Injection- Bypassing magic_quotes
- From: Danux <danuxx@xxxxxxxxx>
- Date: Thu, 11 Oct 2007 12:32:29 -0500
Excellent Gary, the SQL Version was printed,
Because i was trying to execute:
' union select @@version,1,1,1-- (url encoded obviously).
But without success..!!
Well, let me check your excellent tool and thanks for that, but i
think the problem and issue of the thread is about single quotes so,
if i try to use the WHERE CLAUSE it will be filtered by the PHP app.
On 10/11/07, Gary Oleary-Steele <garyo@xxxxxxxxx> wrote:
Sorry, I haven't read the thread. However If you want to extract data
from a table I use the following syntax.
%27or%201%20in%20(SQL HERE)--
Note: I actually use more complex syntax to get round some data type
issues.
Don't terminate the query (i.e. don't use semi colons) and you most
probably wont be able to select more than one result at a time. You
could try my script to do it for you;
Http://www.sec-1labs.co.uk/tools/sasi.zip
Or try something like bobcat or one of the other SQL injection tools out
there.
To see if its going to work, try this
http://www.site.com/mod.php?id=1%27%20or%201%20in%20(@@Version)--
If that displays the SQL server version within the error then you should
be away.
But your going to need to select each row and column at a time. For
example if you were going for a table called users and that table had a
username and password column. You could do;
http://www.site.com/mod.php?id=1%27%20or%201%20in%20(select%20top%201%20
username%2b%27%20%27%2bpassword%20from%20users)--
Then you would need to use are where clause to move down the table.
Sorry if I've missed something, I haven't read the thread (in a rush)
Thanks
Gary
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Danux
Sent: 11 October 2007 02:00
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: SQL Injection- Bypassing magic_quotes
Good Leo, but sadly i have already taken those steps, the backend is a
SQL Server 2005 so xp_cmdshell and others are disabled. I only want
to print a confidential table in order to show up that its important
to fix it.
I think, the MSSQL connection handler is executed by the first mod.php
query so when trying to execute the second one it says the handlers is
already used, so ... i need a way to execute a second query through
the first one... with union or something like that or as Geoff said, a
way to stop executing the first query(mod.php) so that the connection
handler is not used and can execute the second one of mine (sql
injection).
What you think?
On 10/10/07, Walsh, Leo <Leo_Walsh@xxxxxxxxxxxxxxxxxx> wrote:
I would try a couple of things, if you haven't already.query
1) If you aren't actually interested in the results that are obtained
from the query performed by mod.php then skip it. Your 1=1 selection
criteria might be eating up too much time. From the looks of your
string it seems that can you bypass whatever filtering they are doingtable.
without using 1=1.
2) Try selecting something much smaller than the entire messages
This is a table that might be quite large. Try selecting a single rowor
message where date > somedate (which you may have to convert to abinary
value, by the way. If you know another table name then try that.demonstrate
3) Try using a SQL Injection tool to gain sa access. Depending on the
purpose of your investigation gaining sa should be enough to
a severe vulnerability that should be mitigated immediately.[mailto:listbounce@xxxxxxxxxxxxxxxxx]
-Leo Walsh, GSNA
Jefferson Wells International
816-627-4222 (office)
913-484-8051 (cell)
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
On Behalf Of Danuxam
Sent: Tuesday, October 09, 2007 7:25 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: SQL Injection- Bypassing magic_quotes
Hi, well, after taking some examples from you (thanks in advance), i
able to bypass single quotes son i can inject something simple as:http://www.site.com/mod.php?id=1%27%20or%201=1--;select%20*%20from%20mes
http://www.site.com/mod.php?id=1%27%20or%201=1--
But now, when trying to print a full table.... with the following
injection...:
sages;--SQL
there is a Warning saying that the Connecction is busy:
Warning: odbc_exec() [function.odbc-exec]: SQL error: [Microsoft][ODBC
SQL Server Driver]Connection is busy with results for another hstmt,
state S1000 in SQLExecDirect in .........mod.php------------------------------------------------------------------------
So, i think i need a way to execute the second query (mine) before the
one that mod.php executes by itself (mod.php?id=1)
What you think?
This list is sponsored by: Cenzic------------------------------------------------------------------------
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
******* Internet Email Confidentiality ******* The information
contained in this message may be privileged and confidential and
protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby
notified that it is strictly prohibited (a) to disseminate,
distribute or copy this communication or any of the information
contained in it, or (b) to take any action based on the information
in it. If you have received this communication in error, please
notify us immediately by replying to the message and deleting it
from your computer.
--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
Sec-1 specialises in the provision of network security solutions.
For more information on products and services we offer visit
www.sec-1.com
or call
0113 257 8955.
--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- Prev by Date: RE: SQL Injection- Bypassing magic_quotes
- Next by Date: RE: SQL Injection- Bypassing magic_quotes
- Previous by thread: RE: SQL Injection- Bypassing magic_quotes
- Next by thread: RE: SQL Injection- Bypassing magic_quotes
- Index(es):
Relevant Pages
|
