<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt">Hi Dave and Friends, i have a problem while making a PHP -MSQQL-2000 Web App Assessment, after many days and due to the lack of experience i am able to bypass single quotes using char() or "[]" when trying to execute a store procedure, so, by now, i am able to inject code directly to the DataBase without being filtered but after sending the next test: <br><br><span><a target="_blank" href="http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar%288000%29select%20@q%20=%200x73656c65637420404076657273696f6e%20exec%28@q%29%20end">http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar(8000)select%20@q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end</a>;--</span><br><br>or another store procedure like:<br><br><span><a target="_blank"
href="http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:%5Cinetpub%5Cwwwroot%5Csssssssss%5Cindex_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D">http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D</a>;--</span><br><br>the application responses with something like:<br>SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with results
for another hstmt, SQL state S1000 in SQLExecDirect in <b>C:\D\Inetpub\wwwroot\sssssssssss</b><br><div><br>I think its because of the first query (the one belongs to id=1 parameter, even though 1 results to 0 rows).<br>I have ridden a lot of sql injection .. Advanced, More, and so on, but all of them always execute a store procedure after a semicolon but no one says something about this error.<br><br>I thought to put a delay before my store procedure or a command to free the data base connection handler.<br><br>What you think???<br><br>By the way, i am not able to run xp_cmdshell because of the database user permissions, may be i could try to elevate privileges but always appears the error describe above.<br><br>Thanks in Advance.<br> </div>H. Daniel Regalado Arias, CISSP<br>Chief Information Security Officer<br>Macula Security Consulting Group<br>www.macula-group.com<div style="font-family: times new roman,new york,times,serif; font-size:
12pt;"><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">----- Mensaje original ----<br>De: Dave Aitel <dave@immunityinc.com><br>Para: dailydave <dailydave@lists.immunitysec.com><br>Enviado: jueves, 18 de octubre, 2007 12:40:06<br>Asunto: [Dailydave] SQL Hooker Release<br><br>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br><a href="http://forum.immunityinc.com/index.php?topic=92.0" target="_blank">http://forum.immunityinc.com/index.php?topic=92.0</a><br><br>JMS and I decided to put our code where our mouth was.<br><br>It looks a lot like this:<br>PyCommands $ python sql_listener.py 80812.4<br>Set up XMLRPC Socket on 0.0.0.0 port 8081<br>select count(*) from users where userName='cow' and userPass='boy'<br>10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 -<br><br>Next up - file operation hooking perhaps? :><br><br>- -dave<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.6
(GNU/Linux)<br><br>iD8DBQFHF5p0B8JNm+PA+iURAtFlAKDhW3CVqVd6S621t4kdsQ1Y0sb2cgCg7JY5<br>QaZkG+j3E5b6NO0SJrR3yM8=<br>=bvnS<br>-----END PGP SIGNATURE-----<br><br>_______________________________________________<br>Dailydave mailing list<br><a ymailto="mailto:Dailydave@lists.immunitysec.com" href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave" target="_blank">http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br></div><br></div></div><br>
<hr size=1><br><font face="Verdana" size="-2">¡Sé un mejor ambientalista!<br>Encuentra consejos para cuidar el lugar donde vivimos en:<br>
http://telemundo.yahoo.com/promos/mejorambientalista.html</font></body></html>