Re: Executing PHP Code from MSSQL table

From: Robin Wood (dninja@gmail.com)
Date: Thu Oct 18 2007 - 07:37:03 EDT

• Next message: jfvanmeter@comcast.net: "RE: Directory Transversal"
• Previous message: Brett Cunningham: "Re: Thanks Alex and Jond -- metasploit and proxyport"
• In reply to: Danux: "Executing PHP Code from MSSQL table"
• Next in thread: Danux: "Re: Executing PHP Code from MSSQL table"
• Reply: Danux: "Re: Executing PHP Code from MSSQL table"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Getting away from code execution but have you tried directory
traversal with this attack. If the image filename comes out of the db
and you can control that db table then you could try putting php
script names in instead. From that you could get some of the site
source and then look for a way to execute your code.

Robin

On 16/10/2007, Danux <danuxx@gmail.com> wrote:
> Hi, after testing a PHP-MSSQL app, i am able to insert and update
> tables but i can't execute store_procedures, so, i was wondering if
> its possible to update a table putting something like: "phpinfo()" or
> (passthru("ipconfig")) in order to execute while loading the page?
>
> I mean:
>
> inside the html page the images are taken from database so... in a
> black box perspective a think is something like: <img src=$img> and i
> know where is the table which reads this image name, then i can update
> the table and instead of read something like $img = picture.gif, reads
> some thing like "phpinfo();". but as you know this is only a string,
> even though if i update the table with: eval("phpinfo();") its also a
> string .... so it dont get executed!!
>
> So, i would like you help me, what can i do if i am able to insert,
> create and update tables but unable to run store procedures, or bulk
> or bcp!!!!!
>
> Thanks!!!
>
> --
> Danux, CISSP
> Chief Information Security Officer
> Macula Security Consulting Group
> www.macula-group.com
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: jfvanmeter@comcast.net: "RE: Directory Transversal"
• Previous message: Brett Cunningham: "Re: Thanks Alex and Jond -- metasploit and proxyport"
• In reply to: Danux: "Executing PHP Code from MSSQL table"
• Next in thread: Danux: "Re: Executing PHP Code from MSSQL table"
• Reply: Danux: "Re: Executing PHP Code from MSSQL table"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:10 EDT