Don't you need the returned recordset to be written to the html stream in order to see anything useful? For instance if you are just looking at a login page you may not get any joy with appending extra SELECTs? We have just been playing with exactly this! Andrew Miller Technical Research Consultant Insight Consulting Limited Tel. (44) 01932 241000 Fax. (44) 01932 236854 Andy.millerat_private www.insight.co.uk -----Original Message----- From: Javier Fernández-Sanguino [mailto:jfernandezat_private] Sent: 20 November 2001 08:42 To: garyo@sec-1.com; PEN-TESTat_private Subject: RE: SQL You migh (90% chance) have a possibility to a) alter the database b) execute remote commands in the SQL server This is a common error (not quoting quotes :), this is due to the SQL statement being executed in the ISS server (through an ODBC connection) is just added the information given by the user. Thus: SELECT * from test where value='$user' if user=' becomes: SELECT * from test where value=''' which generates your error. However, you can do the following if user=test'; select * from test -- becomes: SELECT * from test where value='test'; select * from test -- ' which is a valid SQL statement (two as a matter of fact) and if user=test'; exec master..xp_cmdshell 'dir' -- becomes: SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' -- which will run the 'dir' command in the SQL server (not in the IIS!) This is fun since, in some cases, the ISS server is in a DMZ and the SQL server is in the internal lan or through another firewall like this: Internet ----- Fw -------- Fw --------- Local network | | IIS SQL server or Internet ----- Fw -------- Local network | | IIS SQL server So you might be one step closer to your target ! Some references (fresh out from google): http://www.sqlsecurity.com/faq-inj.asp http://www.silksoft.co.za/data/sqlinjectionattack.htm Regards Javier Fernández-Sanguino Peña > > Hello all, > > > I am doing a pen test against a IIS 5 web server. The web > server requires a > user name and password via a logon form. if a single quote > character is > entered (username)the following error is produced > > [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark > before the character string '' and password=''. > > I remember reading somewhere that this can be used to gain > further access? > but i cant find the info. > > Can any one help? > > Thanks in advance. > > Gary > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security > vulnerabilities please see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ _____________________________________________________________________ This message has been checked for all known viruses by bluesource. For further information visit www.blue-source.com powered by Messagelabs ------------Insight Consulting Limited-------------------------------- Insight Consulting Limited is a leading specialist provider of independent services in all aspects of information and communications security, business continuity and risk management from consultancy, implementation, testing and training to recruitment, research and outsourcing. ---------------------Disclaimer---------------------------------------- Internet communications are not secure and therefore Insight Consulting Limited does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Insight Consulting Limited unless otherwise specifically stated. If this message is received by anyone other than the addressee, please notify the sender and then delete the message and any attachments from your computer. ----------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 09:41:51 PST