RE: SQL

From: Javier Fernández-Sanguino (jfernandezat_private)
Date: Tue Nov 20 2001 - 00:41:39 PST

Previous message: Kevin Spett: "Re: SQL"
Maybe in reply to: Gary O'leary-Steele: "SQL"
Next in thread: root: "Re: SQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You migh (90% chance) have a possibility to 

a) alter the database
b) execute remote commands in the SQL server

This is a common error (not quoting quotes :), this is due to the SQL
statement being executed in the ISS server (through an ODBC connection)
is just added the information given by the user.

Thus:

SELECT * from test where value='$user'

if user=' becomes:

SELECT * from test where value='''

which generates your error.

However, you can do the following
if user=test'; select * from test -- becomes:

SELECT * from test where value='test'; select * from test -- '

which is a valid SQL statement (two as a matter of fact) and
if user=test'; exec master..xp_cmdshell 'dir' -- becomes:

SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' --


which will run the 'dir' command in the SQL server (not in the IIS!)
This is fun
since, in some cases, the ISS server is in a DMZ and the SQL server is
in the internal
lan or through another firewall like this:

Internet ----- Fw -------- Fw --------- Local network
		    |           |
               IIS         SQL server 

or

Internet ----- Fw -------- Local network
		    |                |
               IIS          SQL server 


So you might be one step closer to your target !

Some references (fresh out from google):
http://www.sqlsecurity.com/faq-inj.asp
http://www.silksoft.co.za/data/sqlinjectionattack.htm

	Regards


	Javier Fernández-Sanguino Peńa

> 
> Hello all,
> 
> 
> I am doing a pen test against a IIS 5 web server. The web 
> server requires a
> user name and password via a logon form. if a single quote 
> character is
> entered (username)the following error is produced
> 
> [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
> before the character string '' and password=''.
> 
> I remember reading somewhere that this can be used to gain 
> further access?
> but i cant find the info.
> 
> Can any one help?
> 
> Thanks in advance.
> 
> Gary
> 
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security 
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security 
> vulnerabilities please see:
> https://alerts.securityfocus.com/
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: root: "Re: SQL"
Previous message: Kevin Spett: "Re: SQL"
Maybe in reply to: Gary O'leary-Steele: "SQL"
Next in thread: root: "Re: SQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 09:13:19 PST