From: Ofer Maor (ofer.hacktics@gmail.com)
Date: Tue Sep 27 2005 - 12:10:39 EDT
Hi,
You are not working against an MS-SQL Server, but rather against an Access
MDB file, connected to the Access ODBC driver.
The bad news are that with Access, the MSysObjects table has no read
permissions by default, so you will not be lucky there..
The good news are, judging from your mail, is that you have detailed error
messages in this application. It therefore may be possibile to extract the
names of the tables by creating detailed error messages.
What I suggest is try to generate all kinds of errors in the system in all
kinds of locations. Such errors can include insertion of meta characters
other than just quote, such as parenthesis, semicolon, remarks, etc. Also,
try playing with keywords such as HAVING and GROUP BY. As far as I recall,
MS tends to become descriptive about field names and such when inserting
such fields. Also, you can try union select from other tables, or even with
no tables (MS is lenient about SQL syntax, and allows performing a query
such as SELCT 1,2,3, without a FROM clause).
In addition to that, I strongly suggest guessing the table names. In most
PT's I did, users table tend to use a variation of one of the following (try
singular form, plural, etc).:
- Users
- Logins
- Accounts
- IDs
Etc..
Also, try following common table naming conventions, such as tblUsers, or
tUsers, or tbl_Users, etc. From my experience, if you sufficiently play with
standard prefixes/suffixes, and logical names, you've got a very high chance
of finding the table name.
Sincerely,
--- Ofer Maor CTO Hacktics Ltd. Mobile: +972-54-6545406 Office: +972-9-9565840 Fax: +972-9-9500047 Web: www.hacktics.com -----Original Message----- From: Cedric Foll [mailto:cedric.foll@ac-rouen.fr] Sent: Monday, September 26, 2005 4:01 PM To: pen-test@securityfocus.com Subject: MS SQL, find list of tables Hi, I'm doing a pen test on a IIS/MS SQL box and find a SQL Injection on it which permit to execute some SQL command on it. In fact I have a "select" where I can inject an "UNION something". I'd like to use that in order to get login/passwd in the database. I can do: <somethin.asp?page=contact' UNION SELECT * FROM users WHERE '1'='1> But the table users doesn't exist and I failed to guess an existing table name :(. I've tried: <something.asp?page=contact' UNION SELECT * FROM MSysObjects'> but I get ---- Microsoft OLE DB Provider for ODBC Drivers error '80040e09' [Microsoft][ODBC Microsoft Access Driver] Record(s) cannot be read; no read permission on 'MSysObjects'. ---- Someone has an idea ???? Regards -- Cedric Foll Ingénieur Sécurité & Réseaux Division Informatique, Rectorat de Rouen "More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk." Bruce Schneier ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:00 EDT