Restricted character set limits exploit vector of SQL injection vulnerability
While performing a pentest for a client, I discovered that the virtual host HTTP header of a web server was vulnerable to SQL injection (!). This is probably because the default vhost runs an application that store the vhost sent by the client before it processes it further. Still, it's interesting because it's not so obvious to exploit.
The database engine is SQL Server. The version is unknown. Here comes the fun part: the "Host" HTTP header is validated by IIS first, so most symbols are filtered out before they ever reach the web application and the vulnerable code.
Accepted symbols:
Rejected characters (responds with 400 Bad Request):
I was able to send values such as
I am now working on
The most difficult part is that I can't use any spaces or comment characters ("/**/").
Hum.. even considering the very restricted character set, would it be possible to exploit it in a useful way and perhaps gain access to the server?
The database engine is SQL Server. The version is unknown. Here comes the fun part: the "Host" HTTP header is validated by IIS first, so most symbols are filtered out before they ever reach the web application and the vulnerable code.
Accepted symbols:
` ~ ! @ # $ ^ & ( ) - .Rejected characters (responds with 400 Bad Request):
/ = % * + [ ] \ | ; : " < > ? , space \t \0 \v \f \rI was able to send values such as
'having'a'like, which displays the first column of the SELECT clause.I am now working on
@@version to try to display the version. I've come up with 'or(cast((@@version)as--int))like so far, but it doesn't really work.The most difficult part is that I can't use any spaces or comment characters ("/**/").
Hum.. even considering the very restricted character set, would it be possible to exploit it in a useful way and perhaps gain access to the server?
Tags: exploit, hack, hacking, injection, sql, sqli, sqlinjection, vhost, virtualhost, web
Add a Comment
-
Comment by Anarchy Angel on October 8, 2009 at 2:00am - windows or linux?
-
Comment by quad on October 7, 2009 at 3:50am -
Thank you Unicode! With UTF-8 encoding, it's entirely possible to insert spaces in the query. Wondering if that works for other characters too. Still, much more flexibility now.
(I also forgot to mention that the curly braces pass through. They cause SQL Server to report Syntax error or access violation.)
© 2009 Created by pdp on Ning. Create a Ning Network!
You need to be a member of House of Hackers to add comments!
Join this Ning Network