SQL Injecton - Strange Result

Hi, after your excellent help i am able to bypass single quotes using
char(0xXX) SQL Server functions so you can do something like select *
from table where name = char(N,N,N,N) which is the same as select *
from table where name = 'NNNN' but without using single quotes.

Then, i was able to run store procedures using [ and ] instead of
single quotes too.

But now, i have a problem while making the Injection (a PHP
-MSQQL-2000 Web App), which by the way, in not being filtered by the
PHP app, and goes directly to the SQL Server
,
The problem is after sending the next test:

http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar(8000)select%20@q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end;--

or another store procedure like:

http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D;--

the application responses with something like:
SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with
results for another hstmt, SQL state S1000 in SQLExecDirect in
c:\Inetpub\wwwroot\sssssssssss

I think its because of the first query (the one belongs to id=1
parameter, even though 1 results to 0 rows).
I have ridden a lot of sql injection .. Advanced, More, and so on, but
all of them always execute a store procedure after a semicolon but no
one says something about this error.

I thought to put a delay before my store procedure or a command to
free the data base connection handler.

What you think???

By the way, i am not able to run xp_cmdshell because of the database
user permissions, may be i could try to elevate privileges but always
appears the error describe above.

Thanks in Advance.


--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • audit tables, delete triggers and sql server authentication
    ... i have a web app connecting to a sql server using sql server ... the web app however, is using windows authentication. ... i have an updatedby and an updatedate. ... how can the trigger know ...
    (microsoft.public.inetserver.asp.db)
  • DirectoryServices
    ... A system that is being designed will use ActiveDirectory to store ... userinformation for a SQL Server 200 base web app. ... to AD after getting the windwos user account from SQL Server. ...
    (microsoft.public.dotnet.framework)
  • Re: Trim Email Address down to domain only
    ... SQL Server uses single quotes, ... "Steve Roberts" wrote in message ... >> Doug Steele, Microsoft Access MVP ...
    (microsoft.public.access.queries)
  • creating .mdf in ASP
    ... I've been writing Windows apps for years now but to become familiar with web apps I'm working my way through some instructions to build a web site using a SQL database. ... Connections to SQL Server filesrequire SQL Server Express 2005 to function properly. ... I expect that the production system is being seen as the default SQL Server by my pc and consequently the web app is trying to connect to it to create the database. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: dbrpcparam datalen problem
    ... I tried to use it for the store procedure call: ... and which the version of SQL Server following SQL 2008 will not support. ... not support features added in later versions. ... Books Online for SQL Server 2005 at ...
    (comp.databases.ms-sqlserver)