Penetration Testing mailing list archives

Re: any sql injection bypass on filters?

From: Dan Crowley <dcrowley () coresecurity com>
Date: Thu, 23 Sep 2010 10:19:58 -0400

If the parameter takes only a-zA-Z then you will be able to put in only
one keyword. Considering where you are in the query (...ORDER BY
column_name [input]) your only options are:

ASC
DESC
some junk that causes an error

Sorry, but it seems this is not an exploitable SQLi flaw.

On 9/22/2010 5:46 PM, The Dead wrote:

Hi Jacky,

If you send for example a common string, the application with filter it?

Sample: ASC, (case when (2=2) then foo else bar end)

If the application fail to filter it probably you will got an error like:

Unknow column 'foo'....

Try it!

On Wed, Sep 22, 2010 at 5:35 PM, Jacky Jack <jacksonsmth698 () gmail com> wrote:

Hi

I'm currently on a php web application page which issues an error
message when submitting invalid value for "sort" parameter.
But the application  accepts only a-zA-Z for this parameter. I've
tried to bypass it by char(), hex().
If I change its parameter value to a value other than "ASC", "DESC",
the application issues a generic sql error starting with "You have an
error in your SQL syntax".

So, in this situation, can the application still be assumed as
vulnerable to sql injection?

Thank you.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

any sql injection bypass on filters? Jacky Jack (Sep 22)
- Re: any sql injection bypass on filters? The Dead (Sep 22)
  - Re: any sql injection bypass on filters? Speedy (Sep 23)
    - Re: any sql injection bypass on filters? Jacky Jack (Sep 23)
  - Re: any sql injection bypass on filters? Dan Crowley (Sep 23)
- Re: any sql injection bypass on filters? Joe Peters (Sep 23)
  - Re: any sql injection bypass on filters? Jacky Jack (Sep 23)
    - Re: any sql injection bypass on filters? Joe Peters (Sep 23)