SQL Injecton - Strange Result

From: Danux (danuxx@gmail.com)
Date: Thu Oct 18 2007 - 19:38:48 EDT

• Next message: H D Moore: "Re: Thanks Alex and Jond -- metasploit and proxyport"
• Previous message: jfvanmeter@comcast.net: "RE: Directory Transversal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi, after your excellent help i am able to bypass single quotes using
char(0xXX) SQL Server functions so you can do something like select *
from table where name = char(N,N,N,N) which is the same as select *
from table where name = 'NNNN' but without using single quotes.

Then, i was able to run store procedures using [ and ] instead of
single quotes too.

But now, i have a problem while making the Injection (a PHP
-MSQQL-2000 Web App), which by the way, in not being filtered by the
PHP app, and goes directly to the SQL Server
,
The problem is after sending the next test:

http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar(8000)select%20@q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end;--

or another store procedure like:

http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D;--

the application responses with something like:
SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with
results for another hstmt, SQL state S1000 in SQLExecDirect in
c:\Inetpub\wwwroot\sssssssssss

I think its because of the first query (the one belongs to id=1
parameter, even though 1 results to 0 rows).
I have ridden a lot of sql injection .. Advanced, More, and so on, but
all of them always execute a store procedure after a semicolon but no
one says something about this error.

I thought to put a delay before my store procedure or a command to
free the data base connection handler.

What you think???

By the way, i am not able to run xp_cmdshell because of the database
user permissions, may be i could try to elevate privileges but always
appears the error describe above.

Thanks in Advance.

-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: H D Moore: "Re: Thanks Alex and Jond -- metasploit and proxyport"
• Previous message: jfvanmeter@comcast.net: "RE: Directory Transversal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:10 EDT