Hello, I hope somebody can help me :-) Let's suppose the following scenario: a web app running on IIS. The app is written in ASP and has a search.asp script, which is not checked/secured against SQL injection. All data is stored in an updated SQL Server 2000 SP3. The search script is using a very limited SQL non-priviledged user so although you can inject SQL sentencies, in practice you can perform write operations such as insert, update, drop, etc. Indeed, select permission is only granted in a few tables. Stored procedures seems also protected (you cannot execute them). You can do "select" on some system tables, nothing more. The goal is to elevate priviledges. How would you achieve this? I'm not a SQL Server expert at all, so perhaps you have any ideas to share with me. I've thought of bruteforcing any of the SQL users (like "sa"), but: - do you think it could be a good idea? Which maximum length of password would be reasonable or candidate to be broken in such a way? - is it possible to run a SQL script through vulnerable .asp using SQL injection, to perform the bruteforce attack? (I think such way is the only valid one, to get an aceptable cracking speed) - in that case, could you provide some test code for it? Any other ideas are greatly welcome. Thanks in advance. Regards, --Roman -- PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core
This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 13:38:30 PST