Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Beginners Section
NavyIT
Aug 7 2005, 01:36 AM
So I have a Windows server running MS-SQL. I was testing some Injection techniques, but haven't been getting anywhere.

I originally tested possible vulnerability by trying default.asp?id=| and got the error:
CODE

[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1.

I figured from the error, that correct handlging wasn't in place, so I then attempted some basic strings, such as: default.asp?id=30+UNION+exec+master..xp_cmdshell+'dir'; which resulted in:
CODE
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine could not find the object 'master'. Make sure the object exists and that you spell its name and the path name correctly.


Another was: default.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES; ("--" were giving me all the same error, so I figured I'd end it with a semi colon.) which resulted in:
CODE
[Microsoft][ODBC Microsoft Access Driver] Could not find file 'C:\WINNT\system32\INFORMATION_SCHEMA.mdb'.


Finally, I played with some possible table names and found CONFIG was valid, but when I issued the command: default.asp?id=4960 UNION SELECT TOP 1 TABLE_NAME FROM CONFIG; Which resulted in
CODE
Microsoft][ODBC Microsoft Access Driver] The number of columns in the two selected tables or queries of a union query do not match.


I have Googles this pretty extensivley, with no luck. No helpful information on the errors, and looking for other SQL injection info, was just yielding the same strings and type of attacks. I've played with it some, seeing that -- doesn't always work, but termination with a semi colon will, etc.

Could anyone explain some of these errors, or if you've been stuck here before, let me know what you found out?

Thanks.
setthesun
Aug 10 2005, 09:09 AM
Are you sure that you're dealing with MS SQL Server ? Because you'r getting "[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 1." error which means database is Access or you're accesing this db though an access driver (no idea is it possible or not).

I think check your db connection or send code here.
RomeoJava
Aug 11 2005, 10:42 AM
Hi,

I'm a newbie so I'm not 100% sure what I'm saying is true, but hopefully my post will be read and corrected by others if it is wrong. rolleyes.gif

You are getting an error which includes "The Microsoft Jet database engine" and as far as I know an SQL database would never use an .mdb file. This means that you are using an MS access database and not an SQL database, even though you have installed SQL server. Therefore your database is not vulnerable to SQL injection. If you Google the Jet database engine, the kind of exploits you get are buffer overflows which may be possible on exploit on your test setup, but not what you are looking for. The kind of errors you should see are like these:

http://common.ziffdavisinternet.com/util_g...,i=17473,00.gif

The fact that Jet isn't vulnerable to Injection as far as I know is good, but the performance is poor and could never be used for decent sized websites...


Rj smile.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.