Re: any sql injection bypass on filters?

[Joe Peters <joepete () joepete com>]

On Thu, 2010-09-23 at 14:38 +0800, Jacky Jack wrote: 
> I fail to think that  simply causing the application issue a general
> SQL can't be assumed as sql injection vulnerability.
> I doubt this is just a kind of information disclosure/leakage where
> the database name, field name are leaked through errors?

If you can get the database server to throw an error, you can probably
craft queries that will do other unintended things. You might not get
any usable data or information about table structure directly, but at
the least you can increase the load on the server, possibly to the point
of a denial of service. Going another route, maybe you can cause an
overflow.

At the very least, at the sysadmin level, if you have any app that
regularly throws errors, it helps hide the one or two lines in a log
that might reveal a more serious problem. Not an injection problem but
certainly a security flaw.

I suspect your client might be defensive about these hypotheticals, and
sure, continue to bang on it and you might be able to have something
more concrete. But from my view, a Web app should always be passing
valid queries to the database. If it is not, it tells me the developer
hasn't fully validated and escaped input.

--
Joe


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------