From: Kelley, Brian (BKelley@AgFirst.com)
Date: Fri Jan 07 2005 - 09:38:11 EST
It's possible if they are taking the resultset of a query and then issuing a dynamic SQL query using EXECUTE() or sp_executesql. Just querying a resultset, no. SQL Server will just consider all the characters present in the (n)char/(n)varchar/(n)text field as just that, one long continuation of characters.
> -----Original Message-----
> From: Peter Bair [mailto:peterbair100@hotmail.com]
> Sent: Thursday, January 06, 2005 8:00 PM
> To: pen-test@securityfocus.com
> Subject: SQL injection from within a table - is it possible?
>
>
>
>
> Is it possible to store an SQL injection string into a MSSQL
> database table, so when the database performs an action like
> through a stored proc, the SQL injection attack takes place?
>
>
>
> Not through the normal means of SQL injection via a web base
> means, but if you have the means of storing the data into the
> table directly.
>
>
>
> Example:
>
> An application has a users name in a table. Is it possible
> to assign the users name as the SQL injection string, something like
>
> name from table; exec master.xp_cmdshell "ping me"; --
>
>
>
> so when the database is running a stored procedure with a
> select clause like
>
>
>
> select name from table
>
>
>
> it really is becomes
>
>
>
> select name from table; exec master.xp_cmdshell "ping me" ;--
> from table
>
>
>
>
>
> Of course using the SQL query analyzer on the database table,
> all this works ok.
>
>
>
> But when I insert the SQL injection string into the table, as
> the name, and then query the table nothing happens.
>
>
>
> Is it possible or have I missed the point here?
>
>
>
> Thanks Peter.
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:12 EDT