Penetration Testing mailing list archives

Re: SQL

From: "Kevin Spett" <kspett () spidynamics com>
Date: Mon, 19 Nov 2001 17:56:06 -0800

There's code like this in the web app:

SQL_Query_String = "SELECT somefield FROM Users WHERE Username = '" &
strUserName & "' AND Password = '" & strPassword & "'"
strValue = SQL_Query(SQL_Query_String)

That line of code will select the the value in somefield in a row in the
users table
where the specified username and password both match.  If both the username
and password don't match any the username and password values in any row in
the table, nothing is selected and strValue is empty, which will tell the
web application
that authentication failed.  If it's populated with something, then the user
is authenticated.

What you want to do is make it so that you get somefield populated with
something, anything.
Try putting one of the following into the username and password fields:

' OR ''='
or
' OR '*

which will make SQL_Query_String look like this:
SELECT somefield FROM Users WHERE Username = '' OR ''='' AND Password = ''
OR ''=''

The statement ''='' is always true, so strValue will be populated with the
first value in
somefield, which is often an admin account. Once you're authenticated and
you know
what the first username in the table is, you can do something like this in
the password
field to get the second one:

' OR '' = ''  WHERE username > 'first_username
and so on, until you find an admin account.

I've been doing a lot of work with SQL Injection techniques on IIS and I've
discovered
some pretty amazing stuff.  I'll have a paper ready in early december
describing some powerful sql ninjitsu techniques that I've developed.



Kevin.

----- Original Message -----
From: "Gary O'leary-Steele" <GaryO () sec-1 com>
To: <PEN-TEST () securityfocus com>
Sent: Monday, November 19, 2001 8:24 AM
Subject: SQL

Hello all,


I am doing a pen test against a IIS 5 web server. The web server requires

user name and password via a logon form. if a single quote character is
entered (username)the following error is produced

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''.

I remember reading somewhere that this can be used to gain further access?
but i cant find the info.

Can any one help?

Thanks in advance.

Gary


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus Security Intelligence Alert

(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please

see:

https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

SQL Gary O'leary-Steele (Nov 19)
- Re: SQL Kevin Spett (Nov 20)
- Re: SQL root (Nov 20)
- Re: SQL neil-at-geekshanty-dot-com (Nov 20)
- Re: SQL Sverre H. Huseby (Nov 20)
- <Possible follow-ups>
- RE: SQL Holmes, Ben (Nov 20)
- RE: SQL Javier Fernández-Sanguino (Nov 20)
- RE: SQL Paul Midian (Nov 20)
- Re: SQL David . French (Nov 20)
- RE: SQL Andy Miller (Nov 21)
- Re: SQL Andrea secondote? (Nov 22)
- RE: SQL rudi carell (Nov 22)

(Thread continues...)