From: One2@onetwo.com
Date: Wed Dec 13 2006 - 02:41:30 EST
I am testing a client at the moment who has a Blind SQL Injection vulnerability and am running out of techniques, so need some tips.
I injected the following string to validate that the system has an MSSQL server at the back-end.
or 1=1;select * from sysobjects;--
This returned a valid page.
Also injected the following and got a valid page, but again no data since it is completely blind.
or 1=1;select @@version;--
Replacing sysobjects, in the first example, with an invalid table returns a custom error page that doesn't disclose anything.
It seems that when injecting any invalid sql statement I get the same custom error page coming back that doesn't reveal any information.
My next step was to determine whether the DB was running as system. I tried using the following command;
or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';--
... but got the error page, indicating that it didn't work - especially since it didn't take 5 seconds. I then tried simplifying it to just;
waitfor delay '0:0:5';--
... but again, the error page, indicating this command was not working. I thought it was the quotes but the following were successful;
or 1=1;select * from 'sysobjects';--
or 1=1;select * from "sysobjects";--
I then tried the following to see if I could actually run system commands;
or 1=1;exec master..xp_cmdshell dir;--
... but this got the error page again indicating unsuccessful.
Any suggestions on gaining further information or access on this system would be appreciated.
Thanks,
One2
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT