Penetration Testing mailing list archives

Re: SQL

From: neil-at-geekshanty-dot-com <ptest1 () geekshanty com>
Date: Mon, 19 Nov 2001 16:47:52 -0600

Gary,

I don't know about that granting complete access, but what it does
mean is that you have free reign to execute SQL commands directly to
the server.

The most likely scenario is that to login a query like:
SELECT * FROM tblUsers WHERE Username='user' AND Password =
'pass'

The HTML form is filling in the 'user' and 'pass' with the data from
the form.  When you add a ' it escapes out of the variable (think strings
in programming) and moves on the rest of the SQL statement.  Anything
you add after the ' will be interpreted as more SQL to execute.  Since
you most likely can change both the user and password fields you can
change the SQL to pretty much anything.  Assuming the web page is
looking for the ID of the user, you could mimic any user by doing a
SELECT * FROM tblUsers WHERE Username='admin';

HTML Form Values To Impersonate "admin":
User: admin';SELECT * FROM tblUsers WHERE 1='1
Password: blah

SQL String Generated:
SELECT * FROM tblUsers WHERE Username='admin';SELECT * FROM tblUsers
WHERE 1='1' AND Password='blah'

Now, I realize I'm making quite a few assumptions, but with direct SQL
access to the DB you could at the very least brute force a table
listing.  Depending on the level of access given to the user, you
might even be able to CREATE or DROP tables.  I've found that the most
secure way to do ASP/SQL is using Stored Procs and Views for
everything without any direct table access.

Cheers,
Neil


On 11-19 (16:24), Gary O'leary-Steele wrote:

Hello all,


I am doing a pen test against a IIS 5 web server. The web server requires a
user name and password via a logon form. if a single quote character is
entered (username)the following error is produced

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''.

I remember reading somewhere that this can be used to gain further access?
but i cant find the info.

Can any one help?

Thanks in advance.

Gary


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

SQL Gary O'leary-Steele (Nov 19)
- Re: SQL Kevin Spett (Nov 20)
- Re: SQL root (Nov 20)
- Re: SQL neil-at-geekshanty-dot-com (Nov 20)
- Re: SQL Sverre H. Huseby (Nov 20)
- <Possible follow-ups>
- RE: SQL Holmes, Ben (Nov 20)
- RE: SQL Javier Fernández-Sanguino (Nov 20)
- RE: SQL Paul Midian (Nov 20)
- Re: SQL David . French (Nov 20)
- RE: SQL Andy Miller (Nov 21)
- Re: SQL Andrea secondote? (Nov 22)
- RE: SQL rudi carell (Nov 22)
- RE: SQL Javier Fernández-Sanguino (Nov 23)