Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

Re: SQL Injection - Strange Result
From: Adriel Desautels <adriel () netragard com>
Date: Thu, 18 Oct 2007 17:58:39 -0400
Daniel,
        Google is a good friend.

Discussion:

This problem occurs when working with the same MS SQL Server connection
as source and target of a module. This error appears in the Exceptions
tab of the Execution Viewer. The complete error message is:

S1000 [Microsoft][ODBC SQL Server Driver]Connection is busy with results
for another hstmt

This error is returned by the ODBC driver and not by SQL Server itself,
so @DbError = 0.


Resolution:

This is due to the behaviour of the MS SQL Server connection. When a
transaction is opened and a table is currently being read in single
mode, no other task can be performed within this transaction.

To fix this, in the module change the select mode of the table (or the
dataset) to Packet(x).

Another way to avoid this error is to duplicate the connection and link
the source table (or the tables of the dataset) to that new connection.
This way, two different transactions are opened: one for reading, and
one for writing. If you want to read the same table you write, you have
to use the first solution.




Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security


H. Daniel Regalado Arias wrote:

Hi Dave and Friends, i have a problem while making a PHP -MSQQL-2000 Web
App Assessment, after many days and due to the lack of experience i am
able to bypass single quotes using char() or "[]" when trying to execute
a store procedure, so, by now, i am able to inject code directly to the
DataBase without being filtered but after sending the next test:

http://www.client.com/mod.php?id=1;begin%20declare%20 () q%20varchar(8000)select%20 () 
q%20=%200x73656c65637420404076657273696f6e%20exec(@q)%20end
<http://www.client.com/mod.php?id=1;begin%20declare%20 () 
q%20varchar%288000%29select%20@q%20=%200x73656c65637420404076657273696f6e%20exec%28 () q%29%20end>;--

or another store procedure like:

http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:\inetpub\wwwroot\sssssssss\index_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D
<http://www.client.com/mod.php?id=1;exec%20sp_makewebtask%20%5Bc:%5Cinetpub%5Cwwwroot%5Csssssssss%5Cindex_olld.html%5D,%20%5Bselect%20*%20from%20TABLE%5D>;--

the application responses with something like:
SQL error: [Microsoft][ODBC SQL Server Driver]Connection is busy with
results for another hstmt, SQL state S1000 in SQLExecDirect in
*C:\D\Inetpub\wwwroot\sssssssssss*

I think its because of the first query (the one belongs to id=1
parameter, even though 1 results to 0 rows).
I have ridden a lot of sql injection .. Advanced, More, and so on, but
all of them always execute a store procedure after a semicolon but no
one says something about this error.

I thought to put a delay before my store procedure or a command to free
the data base connection handler.

What you think???

By the way, i am not able to run xp_cmdshell because of the database
user permissions, may be i could try to elevate privileges but always
appears the error describe above.

Thanks in Advance.
 
H. Daniel Regalado Arias, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com


----- Mensaje original ----
De: Dave Aitel <dave () immunityinc com>
Para: dailydave <dailydave () lists immunitysec com>
Enviado: jueves, 18 de octubre, 2007 12:40:06
Asunto: [Dailydave] SQL Hooker Release

http://forum.immunityinc.com/index.php?topic=92.0

JMS and I decided to put our code where our mouth was.

It looks a lot like this:
PyCommands $ python sql_listener.py 80812.4
Set up XMLRPC Socket on 0.0.0.0 port 8081
select count(*) from users where userName='cow' and userPass='boy'
10.10.10.243 - - [18/Oct/2007 13:03:17] "POST / HTTP/1.0" 200 -

Next up - file operation hooking perhaps? :>

-dave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com <mailto:Dailydave () lists immunitysec com>
http://lists.immunitysec.com/mailman/listinfo/dailydave


------------------------------------------------------------------------

¡Sé un mejor ambientalista!
Encuentra consejos para cuidar el lugar donde vivimos en:
http://telemundo.yahoo.com/promos/mejorambientalista.html


------------------------------------------------------------------------

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Attachment: adriel.vcf
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]