WebApp Sec: RE: Blind SQL Injection / Stored procedures

["Andres Molinetti" <andymolinetti () hotmail com>]

> I'm not sure what you mean by base..syscolumns as far as I am concerned it 
> shouldn't work unless your database is called "base", is that so?
Sorry for that not making it clear. I have discovered that there were 
multiple databases in the server so I tried to enumerate the tables and 
columns in those too. It should say 'Database..syscolums'.
> But in any cases, your assumption might be right about the fact that the 
> web site discusses with the SQL server with stored proc. Usually what I do 
> to see if it's the case is to try to insert a union select 1-- and look at 
> the reaction. Normally if it's a stored proc, it will not like it. But 
> again it's hard to explain it directly here, one must look at it and test 
> it by himself.
> So the first step to see if it's a question of rights is to look at the 
> current user with "user". If you get back dbo, it means you have something 
> wrong with your SQL statement.
I am sure that the username is not DBO. It is a non privileged use named 
"webapp".
> > Then my problem is how can I use an stored procedure to get some data? I
> > think I am able to run, but how can I do to get its results?
>
> Now to answer your question about how to display results from a stored 
> proc, the solution will depend if you can get information back or not. 
> Considering you called your title "Blind SQL injection / Stored procedures" 
> I would guess that you used that technique to succeed to get the data. If 
> so, well I suppose you can still use my technique but it's going to be a 
> long and tedious work.
> So here is how I do it.
>
> Normally every user has the rights on Pubs and Northwind database if they 
> are still on the server that is (almost 100% of the times). So you can 
> create a table there, then insert the results of the stored proc you want 
> to use in this table and go read them either blindly or from the output on 
> the web page.
> Here is an example:
>
> TRUNCATE table pubs.dbo.tmp; INSERT INTO pubs.dbo.tmp (res) EXEC 
> MyDB..TheStoredProc
> Tmp: being my created table
> MyDB: being the database I want to use the stored procs
> TheStoredProc: being the stored proc I want to execute
> (res): is a field that is nvarchar(4000) containing my result
>
> I truncate the table to remove previous data first
>
> Of course, you will need to create fields in the tmp table depending of the 
> number of your stored proc's outputs you have. As I said, it's tedious but 
> I think it's the only way to display results from a stored proc. You can 
> most definitely not use a union with one, I've searched and searched... 
> (Please tell me if I'm wrong I'd love to know...)
I don't really understand the "res" field you mention. As I understand I 
will only need to create the table with the fields the proc is outputting... 
hope you can explain this a bit more...
> François Larouche
>
> ______________________________________________________________________________________________________________________________
> This email, the information contained within and any files transmitted with 
> it (herein after referred as "the message")
> are confidential. It is intended solely for the addressees and access to 
> this message by any other person is not permitted.
> If you are not the named addressee, please send it back immediately to the 
> sender and delete it. Unauthorized disclosure,
> publication, use, dissemination, forwarding, printing or copying of this 
> message, either in whole or in part, is strictly
> prohibited.
> Emails are susceptible to alteration and their integrity cannot be 
> guaranteed. Our company shall not be liable for this
> message if modified or falsified.
_________________________________________________________________
Acepta el reto MSN Premium: Protección para tus hijos en internet. 
Descárgalo y pruébalo 2 meses gratis. 
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil