WebApp Sec mailing list archives

RE: Strange beaviour in sql injection

From: "Dennis Hurst" <dhurst () spidynamics com>
Date: Tue, 29 Oct 2002 09:06:34 -0500

Antonio,

It's possible that the person is checking to make sure you passed 
a value that can be converted to a numeric, something like this:

        if IsNumeric(Request("passedID")) then
                'all is well, build the SQL
                sSql = "select * from myTable where ID = " &
Request("passedID")
                'do some database stuff here
        else
                'go away, your doing something bad....
        end if

Now, if the "passedID" parameter were a string that contained "1,1" it
would pass the
isNumeric() call because "1,1" is converted to "11" by VB/ASP, however
when it's
Passed to the SQL server it is not a valid numeric value so the SQL
server will
choke and give the SQL error message.  So you have a hybrid form of SQL
Injection.

The proper way to do it would have been:


        if IsNumeric(Request("passedID")) then
                'all is well, build the SQL
                sSql = "select * from myTable where ID = " &
cstr(clng(Request("passedID")))
                'do some database stuff here
        else
                'go away, your doing something bad....
        end if


Using the cstr(CLng()) functions will convert it to a numeric and back
again, effectively
Removing the SQL Injection.  

Hope this helps.

Have a great day,

Dennis Hurst



-----Original Message-----
From: Securityinfos [mailto:admin () securityinfos com] 
Sent: Tuesday, October 29, 2002 4:32 AM
To: webappsec () securityfocus com
Subject: Strange beaviour in sql injection


 Conducting a pentest on a web application i discovered something
strange..
 the web application corretcly replaces single quote (') with double
quote
 ('')
 correctly checked if the value isnumeric
 but inserting in the query url a value with , the application show
error
 
 for example:
 
 http://www.webapplication.com/show.asp?id=1,1
 
 show the error
 
 So, can we desume that the previous dogmas for securing a web
application
 replacing quotes and checking if a value is numeric are not enough?
 
 I'd like to know also what Kevin Spett thinks..
 
 thanks..
 
 Antonio Stano
 Securityinfos
 http://www.securityinfos.com

Current thread:

Strange beaviour in sql injection Securityinfos (Oct 29)
- RE: Strange beaviour in sql injection Dennis Hurst (Oct 29)
  - Re: Strange beaviour in sql injection Mariusz Pekala (Nov 30)
- Re: Strange beaviour in sql injection Kevin Spett (Oct 29)
- <Possible follow-ups>
- RE: Strange beaviour in sql injection Brass, Phil (ISS Atlanta) (Oct 30)