[Dailydave] SQL Injection - Strange Result

Adriel Desautels adriel at netragard.com
Thu Oct 18 17:58:39 EDT 2007 

Daniel,
	Google is a good friend.

Discussion:

This problem occurs when working with the same MS SQL Server connection
as source and target of a module. This error appears in the Exceptions
tab of the Execution Viewer. The complete error message is:

S1000 [Microsoft][ODBC SQL Server Driver]Connection is busy with results
for another hstmt

This error is returned by the ODBC driver and not by SQL Server itself,
so @DbError = 0.


Resolution:

This is due to the behaviour of the MS SQL Server connection. When a
transaction is opened and a table is currently being read in single
mode, no other task can be performed within this transaction.

To fix this, in the module change the select mode of the table (or the
dataset) to Packet(x).

Another way to avoid this error is to duplicate the connection and link
the source table (or the tables of the dataset) to that new connection.
This way, two different transactions are opened: one for reading, and
one for writing. If you want to read the same table you write, you have
to use the first solution.




Regards,
	Adriel T. Desautels
	Chief Technology Officer
	Netragard, LLC.
	Office : 617-934-0269
	Mobile : 617-633-3821
	http://www.linkedin.com/pub/1/118/a45

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security


H. Daniel Regalado Arias wrote:
> Hi Dave and Friends, i have a problem while making a PHP -MSQQL-2000 Web
> App Assessment, after many days and due to the lack of experience i am
> able to bypass single quotes using char() or "[]" when trying to execute
> a store procedure, so, by now, i am able to inject code directly to the
> DataBase without being filtered but after sending the next test:
> 
> http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar(8000)select%20 at q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end
> <http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar%288000%29select%20@q%20=%200x73656c65637420404076657273696f6e%20exec%28@q%29%20end>;--
> 
> or another store procedure like:
> 
> http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D
> <http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:%5Cinetpub%5Cwwwroot%5Csssssssss%5Cindex_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D>;--
> 
> the application responses with something like:
> SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with
> results for another hstmt, SQL state S1000 in SQLExecDirect in
> *C:\D\Inetpub\wwwroot\sssssssssss*
> 
> I think its because of the first query (the one belongs to id=1
> parameter, even though 1 results to 0 rows).
> I have ridden a lot of sql injection .. Advanced, More, and so on, but
> all of them always execute a store procedure after a semicolon but no
> one says something about this error.
> 
> I thought to put a delay before my store procedure or a command to free
> the data base connection handler.
> 
> What you think???
> 
> By the way, i am not able to run xp_cmdshell because of the database
> user permissions, may be i could try to elevate privileges but always
> appears the error describe above.
> 
> Thanks in Advance.
>  
> H. Daniel Regalado Arias, CISSP
> Chief Information Security Officer
> Macula Security Consulting Group
> www.macula-group.com
> 
> 
> ----- Mensaje original ----
> De: Dave Aitel <dave at immunityinc.com>
> Para: dailydave <dailydave at lists.immunitysec.com>
> Enviado: jueves, 18 de octubre, 2007 12:40:06
> Asunto: [Dailydave] SQL Hooker Release
> 
> http://forum.immunityinc.com/index.php?topic=92.0
> 
> JMS and I decided to put our code where our mouth was.
> 
> It looks a lot like this:
> PyCommands $ python sql_listener.py 80812.4
> Set up XMLRPC Socket on 0.0.0.0 port 8081
> select count(*) from users where userName='cow' and userPass='boy'
> 10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 -
> 
> Next up - file operation hooking perhaps? :>
> 
> -dave

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com <mailto:Dailydave at lists.immunitysec.com>
http://lists.immunitysec.com/mailman/listinfo/dailydave


------------------------------------------------------------------------

¡Sé un mejor ambientalista!
Encuentra consejos para cuidar el lugar donde vivimos en:
http://telemundo.yahoo.com/promos/mejorambientalista.html


------------------------------------------------------------------------

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adriel.vcf
Type: text/x-vcard
Size: 298 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071018/67fdb174/attachment.vcf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: OpenPGP digital signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071018/67fdb174/attachment.pgp

More information about the Dailydave mailing list