Executing PHP Code from MSSQL table

Hi, after testing a PHP-MSSQL app, i am able to insert and
update
tables but i can't execute store_procedures, so, i was
wondering if
its possible to update a table putting something like:
"phpinfo()" or
(passthru("ipconfig")) in order to execute while
loading the page?

I mean:

inside the html page the images are taken from database
so... in a
black box perspective a think is something like: <img
src=$img> and i
know where is the table which reads this image name, then i
can update
the table and instead of read something like $img =
picture.gif, reads
some thing like "phpinfo();". but as you know this
is only a string,
even though if i update the table with:
eval("phpinfo();") its also a
string .... so it dont get executed!!

So, i would like you help me, what can i do if i am able to
insert,
create and update tables but unable to run store procedures,
or bulk
or bcp!!!!!

Thanks!!!

-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------
------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com
/downloads
------------------------------------------------------------
------------

Hi,
The problem with this approach is that the content is most
likely
loaded in by the PHP preprocessor, and it will not usually
go back and
parse any code inserted. Consider this pseudocode:

print ("print("World")")

The preprocessor will print the string
print("World") but it will not
execute the text string as if it were code. The same is true
if the
text string is retrieved from a database and not a literal.

print("<img src="" . getImageNameFromDB()
. "">")

What you have is an opportunity for cross-site scripting,
not PHP code
injection.

Regards,
Jim

On 10/16/07, Danux <danuxxgmail.com> wrote:
> Hi, after testing a PHP-MSSQL app, i am able to insert
and update
> tables but i can't execute store_procedures, so, i was
wondering if
> its possible to update a table putting something like:
"phpinfo()" or
> (passthru("ipconfig")) in order to execute
while loading the page?
>
> I mean:
>
> inside the html page the images are taken from database
so... in a
> black box perspective a think is something like:
<img src=$img> and i
> know where is the table which reads this image name,
then i can update
> the table and instead of read something like $img =
picture.gif, reads
> some thing like "phpinfo();". but as you know
this is only a string,
> even though if i update the table with:
eval("phpinfo();") its also a
> string .... so it dont get executed!!
>
> So, i would like you help me, what can i do if i am
able to insert,
> create and update tables but unable to run store
procedures, or bulk
> or bcp!!!!!
>
> Thanks!!!
>
> --
> Danux, CISSP
> Chief Information Security Officer
> Macula Security Consulting Group
> www.macula-group.com
>
>
------------------------------------------------------------
------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities
fast.
> Click to try it, buy it or download a solution FREE
today!
>
> http://www.cenzic.com
/downloads
>
------------------------------------------------------------
------------
>
>

------------------------------------------------------------
------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com
/downloads
------------------------------------------------------------
------------

Yeah, i understand how eval works, but i am not able to
change the way
the page was programmed, so, maybe a can put something like
-- <?
eval("phpinfo();") ?> -- inside the table field
but after that, the
page will read: <img src= <? eval("phpinfo")
?> > but as String,
always as String.

If the php page would have been programmed with a hard coded
"eval" like:

<img src= <? eval( getImagefromDB() ) > then after
reading my code
inserted into the database, it would works!!!

So, the only thing a can do, is something about XSS as Jim
Halfpenny said.

Thanks anyway!!!!



On 10/17/07, Matthew Lee Hinman <matthew.hinmangmail.com> wrote:
> Check out using the 'eval' operator in PHP, here's the
doc page:
>
> http://us2.php.net/eval
>
>  From the page:
> "eval - Evaluate a string as PHP code"
>
> This should be able to do what you want.
>
> - Lee
>
>
> * Jim Halfpenny <jimsmailinglistsgmail.com> [2007-10-16 07:52:21 +0100]:
>
> >Hi,
> >The problem with this approach is that the content
is most likely
> >loaded in by the PHP preprocessor, and it will not
usually go back and
> >parse any code inserted. Consider this pseudocode:
> >
> >print ("print("World")")
> >
> >The preprocessor will print the string
print("World") but it will not
> >execute the text string as if it were code. The
same is true if the
> >text string is retrieved from a database and not a
literal.
> >
> >print("<img src="" .
getImageNameFromDB() . "">")
> >
> >What you have is an opportunity for cross-site
scripting, not PHP code
> >injection.
> >
> >Regards,
> >Jim
> >
> >On 10/16/07, Danux <danuxxgmail.com> wrote:
> >> Hi, after testing a PHP-MSSQL app, i am able
to insert and update
> >> tables but i can't execute store_procedures,
so, i was wondering if
> >> its possible to update a table putting
something like: "phpinfo()" or
> >> (passthru("ipconfig")) in order to
execute while loading the page?
> >>
> >> I mean:
> >>
> >> inside the html page the images are taken from
database so... in a
> >> black box perspective a think is something
like: <img src=$img> and i
> >> know where is the table which reads this image
name, then i can update
> >> the table and instead of read something like
$img = picture.gif, reads
> >> some thing like "phpinfo();". but as
you know this is only a string,
> >> even though if i update the table with:
eval("phpinfo();") its also a
> >> string .... so it dont get executed!!
> >>
> >> So, i would like you help me, what can i do if
i am able to insert,
> >> create and update tables but unable to run
store procedures, or bulk
> >> or bcp!!!!!
> >>
> >> Thanks!!!
> >>
> >> --
> >> Danux, CISSP
> >> Chief Information Security Officer
> >> Macula Security Consulting Group
> >> www.macula-group.com
> >>
> >>
------------------------------------------------------------
------------
> >> This list is sponsored by: Cenzic
> >>
> >> Need to secure your web apps NOW?
> >> Cenzic finds more, "real"
vulnerabilities fast.
> >> Click to try it, buy it or download a solution
FREE today!
> >>
> >> http://www.cenzic.com
/downloads
> >>
------------------------------------------------------------
------------
> >>
> >>
> >
>
>--------------------------------------------------------
----------------
> >This list is sponsored by: Cenzic
> >
> >Need to secure your web apps NOW?
> >Cenzic finds more, "real" vulnerabilities
fast.
> >Click to try it, buy it or download a solution FREE
today!
> >
> >http://www.cenzic.com
/downloads
>
>--------------------------------------------------------
----------------
>
>


-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------
------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com
/downloads
------------------------------------------------------------
------------

Check out using the 'eval' operator in PHP, here's the doc
page:

http://us2.php.net/eval

 From the page:
"eval - Evaluate a string as PHP code"

This should be able to do what you want.

- Lee


* Jim Halfpenny <jimsmailinglistsgmail.com> [2007-10-16
07:52:21 +0100]:

>Hi,
>The problem with this approach is that the content is
most likely
>loaded in by the PHP preprocessor, and it will not
usually go back and
>parse any code inserted. Consider this pseudocode:
>
>print ("print("World")")
>
>The preprocessor will print the string
print("World") but it will not
>execute the text string as if it were code. The same is
true if the
>text string is retrieved from a database and not a
literal.
>
>print("<img src="" .
getImageNameFromDB() . "">")
>
>What you have is an opportunity for cross-site
scripting, not PHP code
>injection.
>
>Regards,
>Jim
>
>On 10/16/07, Danux <danuxxgmail.com> wrote:
>> Hi, after testing a PHP-MSSQL app, i am able to
insert and update
>> tables but i can't execute store_procedures, so, i
was wondering if
>> its possible to update a table putting something
like: "phpinfo()" or
>> (passthru("ipconfig")) in order to
execute while loading the page?
>>
>> I mean:
>>
>> inside the html page the images are taken from
database so... in a
>> black box perspective a think is something like:
<img src=$img> and i
>> know where is the table which reads this image
name, then i can update
>> the table and instead of read something like $img =
picture.gif, reads
>> some thing like "phpinfo();". but as you
know this is only a string,
>> even though if i update the table with:
eval("phpinfo();") its also a
>> string .... so it dont get executed!!
>>
>> So, i would like you help me, what can i do if i am
able to insert,
>> create and update tables but unable to run store
procedures, or bulk
>> or bcp!!!!!
>>
>> Thanks!!!
>>
>> --
>> Danux, CISSP
>> Chief Information Security Officer
>> Macula Security Consulting Group
>> www.macula-group.com
>>
>>
------------------------------------------------------------
------------
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities
fast.
>> Click to try it, buy it or download a solution FREE
today!
>>
>> http://www.cenzic.com
/downloads
>>
------------------------------------------------------------
------------
>>
>>
>
>--------------------------------------------------------
----------------
>This list is sponsored by: Cenzic
>
>Need to secure your web apps NOW?
>Cenzic finds more, "real" vulnerabilities
fast.
>Click to try it, buy it or download a solution FREE
today!
>
>http://www.cenzic.com
/downloads
>--------------------------------------------------------
----------------

On Mon, 15 Oct 2007, Danux wrote:
> after testing a PHP-MSSQL app, i am able to insert and
update tables
> but i can't execute store_procedures, so, i was
wondering if its
> possible to update a table putting something like:
"phpinfo()" or
> (passthru("ipconfig")) in order to execute
while loading the page?

You cannot execute strings directly, but if developers are
clueless enough it is very likely that they actually eval
code
stored in db (this blunder is especially common in `content
management systems') -- grep for eval and other similar
functions.

Yet another common mistake is to store in database paths to
code
that is included in pages.

-- 
Regards,
ASK

------------------------------------------------------------
------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com
/downloads
------------------------------------------------------------
------------

Ok, let me check and will inform you.

Thanks!!!!

On 10/18/07, Robin Wood <dninjagmail.com> wrote:
> Getting away from code execution but have you tried
directory
> traversal with this attack. If the image filename comes
out of the db
> and you can control that db table then you could try
putting php
> script names in instead. From that you could get some
of the site
> source and then look for a way to execute your code.
>
> Robin
>
> On 16/10/2007, Danux <danuxxgmail.com> wrote:
> > Hi, after testing a PHP-MSSQL app, i am able to
insert and update
> > tables but i can't execute store_procedures, so, i
was wondering if
> > its possible to update a table putting something
like: "phpinfo()" or
> > (passthru("ipconfig")) in order to
execute while loading the page?
> >
> > I mean:
> >
> > inside the html page the images are taken from
database so... in a
> > black box perspective a think is something like:
<img src=$img> and i
> > know where is the table which reads this image
name, then i can update
> > the table and instead of read something like $img
= picture.gif, reads
> > some thing like "phpinfo();". but as you
know this is only a string,
> > even though if i update the table with:
eval("phpinfo();") its also a
> > string .... so it dont get executed!!
> >
> > So, i would like you help me, what can i do if i
am able to insert,
> > create and update tables but unable to run store
procedures, or bulk
> > or bcp!!!!!
> >
> > Thanks!!!
> >
> > --
> > Danux, CISSP
> > Chief Information Security Officer
> > Macula Security Consulting Group
> > www.macula-group.com
> >
> >
------------------------------------------------------------
------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real"
vulnerabilities fast.
> > Click to try it, buy it or download a solution
FREE today!
> >
> > http://www.cenzic.com
/downloads
> >
------------------------------------------------------------
------------
> >
> >
>


-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------
------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com
/downloads
------------------------------------------------------------
------------

Getting away from code execution but have you tried
directory
traversal with this attack. If the image filename comes out
of the db
and you can control that db table then you could try putting
php
script names in instead. From that you could get some of the
site
source and then look for a way to execute your code.

Robin

On 16/10/2007, Danux <danuxxgmail.com> wrote:
> Hi, after testing a PHP-MSSQL app, i am able to insert
and update
> tables but i can't execute store_procedures, so, i was
wondering if
> its possible to update a table putting something like:
"phpinfo()" or
> (passthru("ipconfig")) in order to execute
while loading the page?
>
> I mean:
>
> inside the html page the images are taken from database
so... in a
> black box perspective a think is something like:
<img src=$img> and i
> know where is the table which reads this image name,
then i can update
> the table and instead of read something like $img =
picture.gif, reads
> some thing like "phpinfo();". but as you know
this is only a string,
> even though if i update the table with:
eval("phpinfo();") its also a
> string .... so it dont get executed!!
>
> So, i would like you help me, what can i do if i am
able to insert,
> create and update tables but unable to run store
procedures, or bulk
> or bcp!!!!!
>
> Thanks!!!
>
> --
> Danux, CISSP
> Chief Information Security Officer
> Macula Security Consulting Group
> www.macula-group.com
>
>
------------------------------------------------------------
------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities
fast.
> Click to try it, buy it or download a solution FREE
today!
>
> http://www.cenzic.com
/downloads
>
------------------------------------------------------------
------------
>
>

------------------------------------------------------------
------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com
/downloads
------------------------------------------------------------
------------