Monday, July 02, 2007

MS SQL injection review

Long time ago, I post a little review about mysql injection, now it is time to do a self review/remind about ms sql injection...lol, old school technique...It is, I was a little surprise that my brother found a website susceptible to MS SQL injection, I almost forget how to do this manually. This target is build with traditional asp, with a classic vulnerable script named product.asp.

Of course we need to detect the existence with sql injection, stick a ' returns a '80040e14' error. There you go, then enumerate table name, product.asp?ProductID=" having 1=1--

returns column name p.Product_Name, then execute product,asp?ProductID=" Group by p.Product_Name having 1=1--, table enumeration can be finished pretty quick, of course a little script can automate the whole process. Just do a regex to match the column name. Right here, we can testify with union all

http://www.site.com/productdet.asp?ProductID=1%20UNION%20ALL%20SELECT%201,1,2,3,4,5,6,7,8,9%20FROM%20sysobjects

It works fine. Surprisingly, this website also has cmd_shell opened, till this point, the whole game becomes not worthwhile to continue. Plus, the site also enable rdp and remote registry, so there are tons ways to get in. I guess I should just stop here....

4 comments:

Anonymous said...

nice mr.insistkul Gud piece of info,.,

table enumeration can be finished pretty quick, of course a little script can automate the whole process.

can u explain a bit more abt that ? ur blog is awesome,gud work.

insistkool said...

Hi anonymous,
Actually any kind of language (perl, python, c# etc) can does the work very well. At this specific case, the script only needs to send out socket, read a signature file or put the whole list in an array. I don't want to reinvent the wheel since there are tons application that have been developed, if you are looking for such tools/script, please have a look at this link http://www.security-hacks.com/2007/05/18/top-15-free-sql-in

Anonymous said...

anmol sounds better than anonymous rite ;-) thanks for ur reply.btw,the link doesnt work :D

Anonymous said...

site?