[Dailydave] SQL Injection - Strange Result
J.M. Seitz
lists at bughunter.ca
Thu Oct 18 17:28:27 EDT 2007
I am more familiar with MySQL, but could there be a case that the
database/application is locking the table during the first stored procedure
run? If it doesn't properly unlock the table after its finished (assuming
your injection would have to make sure that happens) then it can essentially
block the server from allowing access to that table again.
I would check the source to see what they are doing for locking, I might
totally be out to lunch, but I have seen lots of PHP apps improperly lock
and unlock causing all sorts of bizarres problems.
JS
_____
From: dailydave-bounces at lists.immunitysec.com
[mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of H. Daniel
Regalado Arias
Sent: Thursday, October 18, 2007 1:00 PM
To: Dave Aitel; dailydave
Subject: [Dailydave] SQL Injection - Strange Result
Hi Dave and Friends, i have a problem while making a PHP -MSQQL-2000 Web App
Assessment, after many days and due to the lack of experience i am able to
bypass single quotes using char() or "[]" when trying to execute a store
procedure, so, by now, i am able to inject code directly to the DataBase
without being filtered but after sending the next test:
http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar(8000)selec
t%20 at q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end
<http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar%288000%29
select%20 at q%20=%200x73656c65637420404076657273696f6e%20exec%28 at q%29%20end>
;--
or another store procedure like:
http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\www
root\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D
<http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:%5Cinetpub%
5Cwwwroot%5Csssssssss%5Cindex_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5
D> ;--
the application responses with something like:
SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with
results for another hstmt, SQL state S1000 in SQLExecDirect in
C:\D\Inetpub\wwwroot\sssssssssss
I think its because of the first query (the one belongs to id=1 parameter,
even though 1 results to 0 rows).
I have ridden a lot of sql injection .. Advanced, More, and so on, but all
of them always execute a store procedure after a semicolon but no one says
something about this error.
I thought to put a delay before my store procedure or a command to free the
data base connection handler.
What you think???
By the way, i am not able to run xp_cmdshell because of the database user
permissions, may be i could try to elevate privileges but always appears the
error describe above.
Thanks in Advance.
H. Daniel Regalado Arias, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
----- Mensaje original ----
De: Dave Aitel <dave at immunityinc.com>
Para: dailydave <dailydave at lists.immunitysec.com>
Enviado: jueves, 18 de octubre, 2007 12:40:06
Asunto: [Dailydave] SQL Hooker Release
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://forum.immunityinc.com/index.php?topic=92.0
JMS and I decided to put our code where our mouth was.
It looks a lot like this:
PyCommands $ python sql_listener.py 80812.4
Set up XMLRPC Socket on 0.0.0.0 port 8081
select count(*) from users where userName='cow' and userPass='boy'
10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 -
Next up - file operation hooking perhaps? :>
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHF5p0B8JNm+PA+iURAtFlAKDhW3CVqVd6S621t4kdsQ1Y0sb2cgCg7JY5
QaZkG+j3E5b6NO0SJrR3yM8=
=bvnS
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_____
¡Sé un mejor ambientalista!
Encuentra consejos para cuidar el lugar donde vivimos en:
http://telemundo.yahoo.com/promos/mejorambientalista.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20071018/ac07be33/attachment.htm
More information about the Dailydave
mailing list