Government Security
Network Security Resources

Jump to content

Photo

Sql Injection Testing, Errors.


  • Please log in to reply
2 replies to this topic

#1 Jim

Jim

    Private First Class

  • Members
  • 23 posts

Posted 06 August 2005 - 05:36 PM

So I have a Windows server running MS-SQL. I was testing some Injection techniques, but haven't been getting anywhere.

I originally tested possible vulnerability by trying default.asp?id=| and got the error:
[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.
I figured from the error, that correct handlging wasn't in place, so I then attempted some basic strings, such as: default.asp?id=30+UNION+exec+master..xp_cmdshell+'dir'; which resulted in:
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine could not find the object 'master'. Make sure the object exists and that you spell its name and the path name correctly.

Another was: default.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES; ("--" were giving me all the same error, so I figured I'd end it with a semi colon.) which resulted in:
[Microsoft][ODBC Microsoft Access Driver] Could not find file 'C:\WINNT\system32\INFORMATION_SCHEMA.mdb'.

Finally, I played with some possible table names and found CONFIG was valid, but when I issued the command: default.asp?id=4960 UNION SELECT TOP 1 TABLE_NAME FROM CONFIG; Which resulted in
Microsoft][ODBC Microsoft Access Driver] The number of columns in the two selected tables or queries of a union query do not match.

I have Googles this pretty extensivley, with no luck. No helpful information on the errors, and looking for other SQL injection info, was just yielding the same strings and type of attacks. I've played with it some, seeing that -- doesn't always work, but termination with a semi colon will, etc.

Could anyone explain some of these errors, or if you've been stuck here before, let me know what you found out?

Thanks.

#2 setthesun

setthesun

    Sergeant First Class

  • Sergeant Major
  • 574 posts

Posted 10 August 2005 - 01:09 AM

Are you sure that you're dealing with MS SQL Server ? Because you'r getting "[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1." error which means database is Access or you're accesing this db though an access driver (no idea is it possible or not).

I think check your db connection or send code here.

setthesun me = new setthesun();

#3 RomeoJava

RomeoJava

    Private

  • Members
  • 2 posts

Posted 11 August 2005 - 02:42 AM

Hi,

I'm a newbie so I'm not 100% sure what I'm saying is true, but hopefully my post will be read and corrected by others if it is wrong. :rolleyes:

You are getting an error which includes "The Microsoft Jet database engine" and as far as I know an SQL database would never use an .mdb file. This means that you are using an MS access database and not an SQL database, even though you have installed SQL server. Therefore your database is not vulnerable to SQL injection. If you Google the Jet database engine, the kind of exploits you get are buffer overflows which may be possible on exploit on your test setup, but not what you are looking for. The kind of errors you should see are like these:

http://common.ziffda...,i=17473,00.gif

The fact that Jet isn't vulnerable to Injection as far as I know is good, but the performance is poor and could never be used for decent sized websites...


Rj :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users