WebApp Sec mailing list archives
Re: SQL Injection Basics
From: davy van de moere <davy () securax be>
Date: 09 Feb 2003 17:44:38 +0100
I think you might be missing some basics here... Am I right you assume you can access the table test by using test.asp? If so, you're missing the point, buy hey, we all need to learn... The only thing you can do when performing SQL injections, is manipulating SQL queries, which can be stored in variables. Which means, if you can expect a certain .asp file to make connections towards the database, you could try a thing or two... Lets say, there's a something like login.asp. Then you might assume, the variables in the HTML used for the username and password (we assume there is some kind of form used to pass these to the code), there could be a query like: "select * from db.users where name='$name' and password='$pass'" If the database responds with 1, access could be granted , e.g. What you could do then, to pass this authentication stage, would be to make the variable $pass to => ' or 1=1 ; which would give a query like: "select * from db.users where name='blah' and password='blah' or 1=1" The database will focus on the 1=1, and will return a 1. Other typical things are adding a user for example, in this case you make the variable $pass towards => '; insert into db.users name, password values ('myname','mypass'); which would insert your own account in the database. Now, there is one drawback on sql injections, most developers have some brains left, and do strip out quotes out of forms, you could get lucky using unicode representations, however, I'm not sure of that... The best way to test these applications is indeed, having access to the database, and monitoring the queries being passed. Hope I helped you out a bit, and good luck... On Sun, 2003-02-09 at 02:21, raul.johhut () hushmail com wrote:
I am pen testing a webapp and am having some problems with SQL injection. The app creates an ODBC error. Is this a garuntee of SQL Injection ? If I use www.victim/test.asp?userid=sfdsd the error is "inncorrect syntax near line 28 of test.asp" (or thats the English translation equiv in my case). I know the database is called master, and has a table test. What is the syntax I should use ? What are the best freeware and open source tools for testing SQL injection ? I tried WPosion which was OK. I also tried WebSleuth (which seems to have gone from GPL to closed source commercial btw). Am I right is saying that the SQL plugin has to connect directly to the database to work ? I can only see port 80 so don't think this will work ? Thanks, Raul. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
-- davy van de moere <davy () securax be> Securax bvba
Current thread:
- Re: SQL Injection Basics, (continued)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics Ken Anderson (Feb 11)
- Re: WebSleuth and the SQLInjeciton Plugin Chip Andrews (Mar 10)
- Re: SQL Injection Basics Kevin Spett (Feb 11)
- RE: SQL Injection Basics Patrick Debois (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 11)