Penetration Testing mailing list archives
SQL Injection first try - MySQL and Perl
From: Simon Waters <Simon () wretched demon co uk>
Date: Sat, 20 Dec 2003 00:47:53 +0000
Not a Pen-Test but software review..... it does (roughly)... $var1=$form{'varname'}; # where form is a hash of values from a POST, no sanitisation performed. ->do("Insert into tablename values ( 'stuff..','stuff','$var1');"); I bashed the following into the form; '); insert into table2 values (1,'fred','stuff Expecting it to close the last "'", and bracket, and semicolon. Variations ending '); // Showed no more joy. And other variations.... They all barf "SQL syntax error" , and something about "connection-reduction" (which Google seems to think is something else entirely). I'm not clear if there is something in MySQL, or Perl DBI (all from Redhat 9 RPM's BTW), that is deliberately stamping on my naive attempts at SQL injection. That it is giving 'SQL syntax error' makes me think SQL injection is possible, and it looks like a classic mistake to me. Also the application does a lot of "prepare" SQL queries but substitutes variables in the "prepare" rather than using placeholders, I assume these are also vulnerable but probably exploiting them is harder? Mainly I just want to demonstrate SQL injection against the code (if it is possible), as someone has to be convinced to spend time, effort and money cleaning up what is functionality-wise a good application, with some naive coding in places. Is there a list of SQL injections that have worked against such stuff, as I'm sure most of it is about how to quote or encode special characters. Guess it is the difference between believing it is "iffy", and proving it.
Attachment:
_bin
Description:
Current thread:
- SQL Injection first try - MySQL and Perl Simon Waters (Dec 20)