Full Disclosure mailing list archives
Re: R: sql injection question
From: S G Masood <sgmasood () yahoo com>
Date: Wed, 15 Oct 2003 13:19:02 -0700 (PDT)
Hi Richard, A cursory glance tells me that it would be *very* easy to gain unauthorised access to this database. It seems anyone familiar with basic SQL injection can, probably, exploit this script. -- S.G.Masood Hyderabad, India. --- "Manuel [ekerazha]" <ekerazha () yahoo it> wrote:
Yeah... you are vulnerable to sql-injection.
You have to replace the single quotes with two
quotes in the postdata
received from the search form.
ASP Ex: Replace(Request.Querystring("SOMETHING"),
"'", "' '")
Byeee ;-)
P.S.
Excuse me for my english :S
-----Messaggio originale-----
Da: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] Per
conto di Richard Stevens
Inviato: mercoledì 15 ottobre 2003 17.58
A: full-disclosure () lists netsys com
Cc: David Rees
Oggetto: [Full-Disclosure] sql injection question
Quick question for the list, if I may,
We have a third party application that we are
piloting for using as web
store front end.
I have no idea on programming sql at all, but have
read of some of the sql
injection techniques on this list.
In the search box on the app, by inserting '
followed by a space, the
following message is generated:
----------------------------------------------------------------------------
---- Technical Information (for support personnel) Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ' insert into @promtable select a.ItemCode, a.SysNumber, a.TechDescription, a.InvoiceDescription, a.Classification, a.ProductGrou'. /eshop/search.asp, line 265 Browser Type: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Page: GET
/eshop/search.asp?SessionId=PR10006210200315411635Q3TLJ310ELW679PQ7Y&QuickSe
arch=%27+ Time: Wednesday, October 15, 2003, 4:45:30 PM Also, the password for SA is stored in clear text in the site in a text config file. This would not strike me as being sensible. These are both ringing alarm bells ! From this info, would you assume it would be easy for someone skilled in sql injection to get unauthorised access to the database?.. or is it not that simple? The input seems to be filtered correctly on the logon.asp, as entering these characters has no apparent effect. TIA Richard _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- sql injection question Richard Stevens (Oct 15)
- R: sql injection question Manuel [ekerazha] (Oct 15)
- Re: R: sql injection question S G Masood (Oct 15)
- RE : sql injection question Frederic Charpentier (Oct 15)
- <Possible follow-ups>
- RE: sql injection question Richard Stevens (Oct 15)
- R: sql injection question Manuel [ekerazha] (Oct 15)