Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 603
  • Last Modified:

SQL injuection query

Hi,

I've trapped some SQL injection attempts on my web server.

I'm just wondering if anyone can tell me what this query would have done if it had succeeded?

id=90 And char(124)+Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124)=1

This was passed as a parameter on a page that would normally accept: category.asp?id=90
I'm particularly interested in what IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) is..

Thanks!!
0
azaram
Asked:
azaram
  • 2
3 Solutions
 
Aneesh RetnakaranDatabase AdministratorCommented:
Run this

select * from master..sysxlogins
WHERE sid = '0x730079007300610064006D0069006E00'

0
 
Aneesh RetnakaranDatabase AdministratorCommented:

from BOL
IS_SRVROLEMEMBER Indicates whether the current user login is a member of the specified server role

IS_SRVROLEMEMBER ( 'role' [ , 'login' ] )
0
 
Swapnil PipariaArchitectCommented:
Hi azaram,
IS_SRVROLEMEMBER function

Indicates whether the current user login is a member of the specified server role. it will check from following role and the hex code given your url string is for one of the following role.
sysadmin
dbcreator
diskadmin
processadmin
serveradmin
setupadmin
securityadmin

the try is make to check that the current sql login for fetching data for id 90 has access of which role if it

like s
select * from table where id =90 and char(124)+Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124)=1

means if login has this role right than it will return record otherwise not


Regards,
NetSwap
0
 
azaramAuthor Commented:
Thanks... so it looks like it's just fishing for holes..
I guess if the SQL injection was successful and also if the server role had admin access they may launch another attack to execute system commands and compromise the server.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now