Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Blind SQL Injection / Stored procedures
From: Victor Chapela (victorsm4rt.com)
Date: Fri Nov 18 2005 - 00:22:41 CST
You may want to try with:
exec master.dbo.sp_executesql N'...your query...'
This is in itself a stored procedure... But it allows you to run a query
within. This should work with sp3 unless you don't have enough privileges to
access master's stored procedures.
> -----Original Message-----
> From: Andres Molinetti [mailto:andymolinettihotmail.com]
> Sent: November 15, 2005 12:41 PM
> To: pen-testsecurityfocus.com
> Cc: websecuritywebappsec.org; webappsecsecurityfocus.com
> Subject: Blind SQL Injection / Stored procedures
> Hi List,
> I am currently testing a clients Web Site. I have found that
> it is vulnerable to Blind SQL Injection, so I have been able
> to enumerate tables, columns, etc. It interact with an SQL
> Server 2000 SP3.
> The problem is that, despite I was able to enumerate tables
> and columns (through base..syscolumns) I am not able to
> access any data of those tables.
> I think this can be happening because the priviledges are
> assigned to stored procedures, and not directly to users,
> which is a good practice.
> Then my problem is how can I use an stored procedure to get
> some data? I think I am able to run, but how can I do to get
> its results?
> I know that there is an xp_makewebtask which lets me write
> sql queries to a file, but as the sql server resides in a
> different machine that the web server, I cannot get those files.
> Thanks in advance,
> Dale rienda suelta a tu tiempo libre. Encuentra mil ideas
> para exprimir tu ocio con MSN Entretenimiento.