Mel - I was going to post code, but I figure I don't really know what you're doing so I'll just be helpful enough to tell you to figure it out. Besides, I don't know what you're using. Since I haven't seen any other posts, I'm going to speak from what I have access to - MS SQL Server. This isn't the only way, but I guarantee it works. Injection: Declare some variables, set a seed (recnum?) variable, then loop until the seed comes up NULL (or some other stop). Inside the loop, select the next seed value, and also the username/password pairs. Append them to a declared variable with embedded characters (such as tabs). Pay attention to max string lengths - you may have to make several queries to get all the way through. At the very end, select the "concatenation variable" as your one select line and you have everything you need in one concatenated/delimited string. Parse this in your output routine, and you're done. Of course, since you're injecting fairly complicated script, and you may truncate your injection, why not just keep all of your variables outside, where you have more control, and seed a single ASP injection from there (select top 1 * ... where name/recnum > injectvalue)...then update your seed and have another go? I know this is exactly what you said you'd rather avoid doing, but neither approach (being essentially identical) should take more than 30 minutes, given an angelic setup. The best thing is, it's reusable if you write it right. I don't know how you feel about this, because I'm not exactly a pen-tester, but I sure know how to get into things, and sure don't think this should present you too much of a challenge. Since your problem might be related to CR/LF's in the output, scripting it is probably faster-to-market than poking around for that magic bullet. Unless, of course, someone has one sitting around somewhere. Cheers, Kirk ---- Original Message ---- From: mel Date: Wed 3/20/02 13:52 To: pen-testat_private Subject: SQL Injection - retrieving all rows Hi, I've been able to enumerate over 50 plus tables in a recent pen-test, now come the hard part - I want to dump data from the most important table that contains user names and passwords. However, the ASP app that I exploit only returns one row at a time. Is there anyway to overcome this? I've been looking for apps that return multiple rows (such as search,etc) but to know avail. I've tried dumping asp codes using BULK INSERT, but the command is only available for system account. Creating an stored procedure does not seem to work as well :( Now, I'm thinking of writing a script that dump the data one at a time, but I would like the advice from fellow pen-testers first. Cheers, --mel ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ------------------------------------------------ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 08:45:21 PST