From: Victor Chapela (victorsm4rt.com)
Date: Fri Nov 18 2005 - 00:22:41 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You may want to try with:

exec master.dbo.sp_executesql N'...your query...'

This is in itself a stored procedure... But it allows you to run a query
within. This should work with sp3 unless you don't have enough privileges to
access master's stored procedures.

Good luck,
Victor

> -----Original Message-----
> From: Andres Molinetti [mailto:andymolinettihotmail.com]
> Sent: November 15, 2005 12:41 PM
> To: pen-testsecurityfocus.com
> Cc: websecuritywebappsec.org; webappsecsecurityfocus.com
> Subject: Blind SQL Injection / Stored procedures
>
> Hi List,
>
> I am currently testing a clients Web Site. I have found that
> it is vulnerable to Blind SQL Injection, so I have been able
> to enumerate tables, columns, etc. It interact with an SQL
> Server 2000 SP3.
>
> The problem is that, despite I was able to enumerate tables
> and columns (through base..syscolumns) I am not able to
> access any data of those tables.
>
> I think this can be happening because the priviledges are
> assigned to stored procedures, and not directly to users,
> which is a good practice.
>
> Then my problem is how can I use an stored procedure to get
> some data? I think I am able to run, but how can I do to get
> its results?
>
> I know that there is an xp_makewebtask which lets me write
> sql queries to a file, but as the sql server resides in a
> different machine that the web server, I cannot get those files.
>
> Thanks in advance,
>
> Andy
>
> _________________________________________________________________
> Dale rienda suelta a tu tiempo libre. Encuentra mil ideas
> para exprimir tu ocio con MSN Entretenimiento.
> http://www.sm4rt.com/links

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]