From: Paulo Ribeiro (lopolo_fr@yahoo.fr)
Date: Wed Dec 13 2006 - 18:02:51 EST
Hello,
Usually, when it's a blind SQL injection, as described, no information can easily be retrieved, if at all.
A few days ago, I had the same problem, so I used the sp_rename stored procedure to rename random table names (dictionnary names like user, content, produt, etc...) ... and it worked for a few...
When it worked, the website generated a lot of errors since part of the content was broken.
By using the same sp, I could rename the table back to its original name.
What I got from it where a few table names, some FS paths...
Paul
----- Original Message ----
From: "One2@onetwo.com" <One2@onetwo.com>
To: pen-test@securityfocus.com
Sent: Wednesday, December 13, 2006 8:41:30 AM
Subject: Blind SQL Injection Techniques
Hi All,
I am testing a client at the moment who has a Blind SQL Injection vulnerability and am running out of techniques, so need some tips.
I injected the following string to validate that the system has an MSSQL server at the back-end.
or 1=1;select * from sysobjects;--
This returned a valid page.
Also injected the following and got a valid page, but again no data since it is completely blind.
or 1=1;select @@version;--
Replacing sysobjects, in the first example, with an invalid table returns a custom error page that doesn't disclose anything.
It seems that when injecting any invalid sql statement I get the same custom error page coming back that doesn't reveal any information.
My next step was to determine whether the DB was running as system. I tried using the following command;
or 1=1;if (select user) = 'sa' waitfor delay '0:0:5';--
... but got the error page, indicating that it didn't work - especially since it didn't take 5 seconds. I then tried simplifying it to just;
waitfor delay '0:0:5';--
... but again, the error page, indicating this command was not working. I thought it was the quotes but the following were successful;
or 1=1;select * from 'sysobjects';--
or 1=1;select * from "sysobjects";--
I then tried the following to see if I could actually run system commands;
or 1=1;exec master..xp_cmdshell dir;--
... but this got the error page again indicating unsuccessful.
Any suggestions on gaining further information or access on this system would be appreciated.
Thanks,
One2
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT