Re: SQL Injection Basics

[davy van de moere <davy () securax be>]

I think you might be missing some basics here...

Am I right you assume you can access the table test by using test.asp?
If so, you're missing the point, buy hey, we all need to learn...

The only thing you can do when performing SQL injections, is
manipulating SQL queries, which can be stored in variables. Which means,
if you can expect a certain .asp file to make connections towards the
database, you could try a thing or two...

Lets say, there's a something like login.asp. Then you might assume, the
variables in the HTML used for the username and password (we assume
there is some kind of form used to pass these to the code), there could
be a query like: "select * from db.users where name='$name' and
password='$pass'"

If the database responds with 1, access could be granted , e.g. 

What you could do then, to pass this authentication stage, would be to
make the variable $pass to => ' or 1=1 ; which would give a query like:

"select * from db.users where name='blah' and password='blah' or 1=1"

The database will focus on the 1=1, and will return a 1. 

Other typical things are adding a user for example, in this case you
make the variable $pass towards => '; insert into db.users name,
password values ('myname','mypass'); 

which would insert your own account in the database. Now, there is one
drawback on sql injections, most developers have some brains left, and
do strip out quotes out of forms, you could get lucky using unicode
representations, however, I'm not sure of that... 

The best way to test these applications is indeed, having access to the
database, and monitoring the queries being passed. 

Hope I helped you out a bit, and good luck...

On Sun, 2003-02-09 at 02:21, raul.johhut () hushmail com wrote:
> I am pen testing a webapp and am having some problems with SQL injection. 
>
> The app creates an ODBC error. Is this a garuntee of SQL Injection ?
>
> If I use www.victim/test.asp?userid=sfdsd
>
> the error is "inncorrect syntax near line 28 of test.asp" (or thats the English translation equiv in my case).
>
> I know the database is called master, and has a table test. What is the syntax I should use ?
>
> What are the best freeware and open source tools for testing SQL injection ? I tried WPosion which was OK.
>
> I also tried WebSleuth (which seems to have gone from GPL to closed source commercial btw). Am I right is saying that 
> the SQL plugin has to connect directly to the database to work ? I can only see port 80 so don't think this will work 
> ?
>
> Thanks, Raul.
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Big $$$ to be made with the HushMail Affiliate Program: 
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
-- 
davy van de moere <davy () securax be>
Securax bvba