Good Leo, but sadly i have already taken those steps, the
backend is a
SQL Server 2005 so xp_cmdshell and others are disabled. I
only want
to print a confidential table in order to show up that its
important
to fix it.
I think, the MSSQL connection handler is executed by the
first mod.php
query so when trying to execute the second one it says the
handlers is
already used, so ... i need a way to execute a second query
through
the first one... with union or something like that or as
Geoff said, a
way to stop executing the first query(mod.php) so that the
connection
handler is not used and can execute the second one of mine
(sql
injection).
What you think?
On 10/10/07, Walsh, Leo <Leo_Walsh jeffersonwells.com>
wrote:
> I would try a couple of things, if you haven't
already.
>
> 1) If you aren't actually interested in the results
that are obtained
> from the query performed by mod.php then skip it. Your
1=1 selection
> criteria might be eating up too much time. From the
looks of your query
> string it seems that can you bypass whatever filtering
they are doing
> without using 1=1.
>
> 2) Try selecting something much smaller than the entire
messages table.
> This is a table that might be quite large. Try
selecting a single row or
> message where date > somedate (which you may have to
convert to a binary
> value, by the way. If you know another table name then
try that.
>
> 3) Try using a SQL Injection tool to gain sa access.
Depending on the
> purpose of your investigation gaining sa should be
enough to demonstrate
> a severe vulnerability that should be mitigated
immediately.
>
>
> -Leo Walsh, GSNA
> Jefferson Wells International
> 816-627-4222 (office)
> 913-484-8051 (cell)
>
> -----Original Message-----
> From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
> On Behalf Of Danux
> Sent: Tuesday, October 09, 2007 7:25 PM
> To: pen-testsecurityfocus.com
> Subject: Re: SQL Injection- Bypassing magic_quotes
>
> Hi, well, after taking some examples from you (thanks
in advance), i am
> able to bypass single quotes son i can inject something
simple as:
>
> http
://www.site.com/mod.php?id=1%27%20or%201=1--
>
> But now, when trying to print a full table.... with the
following
> injection...:
>
>
> http://www.site.com/mod.php?id=1%27%20or
%201=1--;select%20*%20from%20mes
> sages;--
>
> there is a Warning saying that the Connecction is
busy:
>
>
> Warning: odbc_exec() [function.odbc-exec]: SQL error:
[Microsoft][ODBC
> SQL Server Driver]Connection is busy with results for
another hstmt, SQL
> state S1000 in SQLExecDirect in .........mod.php
>
> So, i think i need a way to execute the second query
(mine) before the
> one that mod.php executes by itself (mod.php?id=1)
>
> What you think?
>
>
------------------------------------------------------------
------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities
fast.
> Click to try it, buy it or download a solution FREE
today!
>
> http://www.cenzic.com
/downloads
>
------------------------------------------------------------
------------
>
>
>
> ******* Internet Email Confidentiality ******* The
information
> contained in this message may be privileged and
confidential and
> protected from disclosure. If the reader of this
message is not the
> intended recipient, or an employee or agent responsible
for
> delivering this message to the intended recipient, you
are hereby
> notified that it is strictly prohibited (a) to
disseminate,
> distribute or copy this communication or any of the
information
> contained in it, or (b) to take any action based on the
information
> in it. If you have received this communication in
error, please
> notify us immediately by replying to the message and
deleting it
> from your computer.
>
--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------
------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com
/downloads
------------------------------------------------------------
------------
|