Re: SQL injection from within a table - is it possible?

From: Kevin Conaway (kevin.conaway@gmail.com)
Date: Fri Jan 07 2005 - 09:27:01 EST


Peter,

When you select a value out of a database, it wont rewrite the query
with the contents of the value you are selecting.

Kevin

On 7 Jan 2005 00:59:44 -0000, Peter Bair <peterbair100@hotmail.com> wrote:
>
>
> Is it possible to store an SQL injection string into a MSSQL database table, so when the database performs an action like through a stored proc, the SQL injection attack takes place?
>
> Not through the normal means of SQL injection via a web base means, but if you have the means of storing the data into the table directly.
>
> Example:
>
> An application has a users name in a table. Is it possible to assign the users name as the SQL injection string, something like
>
> name from table; exec master.xp_cmdshell "ping me"; --
>
> so when the database is running a stored procedure with a select clause like
>
> select name from table
>
> it really is becomes
>
> select name from table; exec master.xp_cmdshell "ping me" ;-- from table
>
> Of course using the SQL query analyzer on the database table, all this works ok.
>
> But when I insert the SQL injection string into the table, as the name, and then query the table nothing happens.
>
> Is it possible or have I missed the point here?
>
> Thanks Peter.
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:12 EDT