|
WebApp Sec
mailing list archives
Blind SQL Injection / Stored procedures
From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Tue, 15 Nov 2005 18:40:50 +0000
Hi List,
I am currently testing a clients Web Site. I have found that it is
vulnerable to Blind SQL Injection, so I have been able to enumerate tables,
columns, etc. It interact with an SQL Server 2000 SP3.
The problem is that, despite I was able to enumerate tables and columns
(through base..syscolumns) I am not able to access any data of those tables.
I think this can be happening because the priviledges are assigned to stored
procedures, and not directly to users, which is a good practice.
Then my problem is how can I use an stored procedure to get some data? I
think I am able to run, but how can I do to get its results?
I know that there is an xp_makewebtask which lets me write sql queries to a
file, but as the sql server resides in a different machine that the web
server, I cannot get those files.
Thanks in advance,
Andy
_________________________________________________________________
Dale rienda suelta a tu tiempo libre. Encuentra mil ideas para exprimir tu
ocio con MSN Entretenimiento. http://entretenimiento.msn.es/
 By Date 
By Thread
Current thread:
- Blind SQL Injection / Stored procedures Andres Molinetti (Nov 15)
|
Intro
