WebApp Sec mailing list archives
Re: SQL Injection Basics
From: Loki <loki () fatelabs com>
Date: 09 Feb 2003 00:16:01 -0500
Raul: SQL injection is not replacing the userid field in the url with "sdfsd", its escaping an SQL query with a single tick (') that the developer doesn't escape (or in the case of PHP, GLOBALS is turned on in the php.ini). SQL injection is simply altering the SQL query sent to the SQL server and executing an a malicious query instead of what was expected by the developer. Depending on the remote server (Oracle, Microsoft SQL, MySQL, PostgreSQL), these statements will only differ based on their stored procedures. Microsoft SQL containing the more fun procedure of (xp_cmdshell) :) e.g. 'SELECT * FROM USERS Username: ' or 1=1-- There are several papers available on SQL injection attacks, one in particular written by Chris Anley at http://www.nextgenss.com/research/papers.html Typically, you can quickly check web apps for vulnerability to injection by just entering a single tick (') in the form submission field, hitting submit, and looking for any errors such as ODBC, etc. Loki Fate Research Labs www.fatelabs.com On Sat, 2003-02-08 at 20:21, raul.johhut () hushmail com wrote:
I am pen testing a webapp and am having some problems with SQL injection. The app creates an ODBC error. Is this a garuntee of SQL Injection ? If I use www.victim/test.asp?userid=sfdsd the error is "inncorrect syntax near line 28 of test.asp" (or thats the English translation equiv in my case). I know the database is called master, and has a table test. What is the syntax I should use ? What are the best freeware and open source tools for testing SQL injection ? I tried WPosion which was OK. I also tried WebSleuth (which seems to have gone from GPL to closed source commercial btw). Am I right is saying that the SQL plugin has to connect directly to the database to work ? I can only see port 80 so don't think this will work ? Thanks, Raul. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
-- Loki <loki () fatelabs com>
Current thread:
- SQL Injection Basics raul . johhut (Feb 08)
- Re: SQL Injection Basics Loki (Feb 09)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- RE: SQL Injection Basics Forrest Lee Andrews (Feb 10)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- Re: SQL Injection Basics Dave Aitel (Feb 10)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Taco Fleur (Feb 10)
- RE: SQL Injection Basics Robert Nilsen (Feb 10)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Keith Smith (Feb 10)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- Re: SQL Injection Basics Loki (Feb 09)