Re: [PEN-TEST] Hacking SQL queries ...

Ah, MS-SQL and ASP. Easy way into many many servers, try this as your input
string

'; EXEC master.xp_cmdshell '<somecommand>' --

It will end up as

......WHERE Name LIKE ''; EXEC masterr..xp_cmdshell '<somecommand>' --'
ORDER BY Name

; is the command separator, and -- is a comment, it will comment out the
rest of the line,
the EXEC master..xp_cmdshell '<somecommand>' will execute the command as
System, but, it wont work unless the asp code connects as an admin user(in
sql), like dbo or sa

Also for login pages which do things like this you if the SQL command uses
WHERE name LIKE '%input' you can put in * and it will match everything,
or is it uses = instead of like, you can do this for your username and
password

' OR 'a'='a

and it will match everything.(usualy results in you being logged in as the
first user in the database)
fix for it is to filter out the ' char, and ; i suppose
also be careful if the input is a number, it still has to be checked for
sanity, lots of sites filter strings, but dont bother with numbers, you just
leave out the ' and stick a ; there, and then your command.

> -----Original Message-----
> From: Aaron C. Newman [mailto:aaron_at_NEWMAN-FAMILY.COM]
> Sent: 08 February 2001 00:48
> To: PEN-TEST_at_SECURITYFOCUS.COM
> Subject: Re: [PEN-TEST] Hacking SQL queries ...
>
>
> In many SQL databases, two single quotes placed consecutively
> and embedded
> as a literal between two other single quotes are translated
> to a single
> quote. Basically the first quote is escaping the second quote.
>
> For instance:
> print 'test''test'
> shows up as
> test'test
>
> Or:
> print 'test''''test'
> shows up as
> test''test
>
> Looks like the code is attempting to escape quotes by translating each
> single quote to two single quotes. The % are simply wildcard
> values for the
> search.
>
> What can you do with this? It depends. What database platform
> is being used?
> How is the connection being made from the web server to the
> database, ODBC,
> JDBC, ole db?
>
> For instance, if the web server is using jdbc to connect to oracle, a
> backslash '\' should escape the quote. You can try passing
>
> aaa%\' UNION SELECT Password from dba_users WHERE USERNAME = 'SYSTEM
>
> which should translate to:
> SELECT Name FROM Users WHERE Name LIKE 'aaa%\'' UNION SELECT
> Password from
> dba_users WHERE USERNAME = 'SYSTEM'
>
> Try as many different escape characters as you can think of -
> &@^\/{}. Try
> sending a backspace character after the single quote to see
> if it might
> erase one of them but not the other, or you may even be able
> to backspace
> over the entire statement.
>
> Once you've escaped the quote, executing any sql statement
> becomes easy.
>
> HTH,
> Aaron Newman
>
> > -----Original Message-----
> > From: Penetration Testers
[mailto:PEN-TEST_at_SECURITYFOCUS.COM]On Behalf
> Of Aurobindo Sundaram (+1 512 918 1390)
> Sent: Wednesday, February 07, 2001 3:08 PM
> To: PEN-TEST_at_SECURITYFOCUS.COM
> Subject: [PEN-TEST] Hacking SQL queries ...
>
>
> I have to audit a bit of code that does the following
>
> SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name
>
> where input is the user-input. When I try the input 'test, the code
> generated is
>
> SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name
>
> Since I'm an SQL newbie, I'd be curious to know how someone could supply
> the appropriate input to do bad things on the SQL server - either
> in R/O or
> R/W mode
>
> If there are SQL hacking pages someplace, a link would be appreciated
>
> Thanks,
> Robin
>
Received on Feb 10 2001