Re: SQL Injection and text fields

From: Ben Timby (asp@webexc.com)
Date: Fri Aug 20 2004 - 15:35:00 EDT


I don't know if this will help you, but what I have done in the past is
this.

Make your query a subquery of the developer's query. The input you would
provide is something like:

"' or 1 = (select cast(name as int) as hehehe from sysobjects where type
= 'U' and name > '.' order by name asc)--"

SQL Server will barf and tell you that it cannot convert value
"tblCustomers" to an int. You can then insert that name into the where
"name > '.'" clause above to get the next table name.

You can use this same method to enum the columns in every table.

I wrote a script to automate this procedure, you had to provide it the
template for your query, but it would grab the result, and repeat the
query after inserting the table/column name.

You can use a similar technique to get data from the tables:

"' or 1 = (select cast(ccnum + '*' + CustName + '*' + Expiry as int) as
hahaha from tblCustomers where CustName > '.' order by CustName asc)--"

trim the *'s extract the CustName from the resulting error text to
insert this into the "CustName > '.'", rinse and repeat.

I have stolen entire tables and databases using this technique. It works
in many situations, your dependancy on the target vulnerable site is
very low.

Hope that helps.

Mariano Nuņez Di Croce wrote:

> Ben Timby wrote:
>
>> What do you want to find out? can you post your full input to the field?
>>
>> I am having trouble understanding what you are doing and trying to
>> accomplish.
>>
>> Mariano Nuņez Di Croce wrote:
>>
>>> I'm currently pen-testing a web application based on ASP and SQL Server.
>>>
>>> I have already figured out the table and field name by the use of the
>>> "having 1=1--" and appending "group by table.name" clauses.
>>>
>>> The problem is that I have text fields and those can't be use in the
>>> GROUP BY clause, so I get an error and cannot continue with the
>>> Injection.
>>>
>>> Any ideas?
>>>
>>
>>
> I 'm testing a page similar to this one:
>
> www.url.com/page.asp?id=2%20group%20by%20table1.fecha,table1.row_id,table1.nombre_fisico,table1.titular,table1.autor,table1.fuente,table1.seccion,table1.ciudad,table1.texto%20having%201=1--
>
>
> When I send this url whitout "table1.texto", I get an error saying that
> table1.texto must be appended to the group by clause... (just like the
> same procedure to discover the previous fieldnames).
>
> But this time, when I add this field to the GROUP BY clause i says that
> ntext, text and image fields cannot be appended to this type of clause.
>
> So...how can I walk through this to keep discovering the remaining fields??
> I've heard something about CONVERT function but not sure how to
> implement it..
>
> Thanks in advance,
>
>
> But when
>
>

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:59 EDT