WebApp Sec mailing list archives
Re: Using Binary Search with SQL Injection
From: <dave () immunitysec com>
Date: 28 Aug 2003 13:09:55 -0000
In-Reply-To: <20030826161916.GA8708 () thathost com> That's not useless. That's actually really cool. Once upon a time I was going to write a talk on how to do SQL Injection when you don't get error messages back. Most people I've seen have it marked as "potentially possible, but just way to hard to do" which is true for everything until someone makes a tool to do it. You really only need one bit at a time of information leakage, be that timing info, different response pages, or another information tunnel to make SQL Injection possible. And the best part about exploiting this kind of web app is that all the automated tools (like SPIKE Proxy) that do QA work to test for SQL Injection by looking for ODBC messages or similar error pages don't find it. :> -dave
Received: (qmail 3634 invoked from network); 26 Aug
2003 20:03:38 -0000
Received: from outgoing2.securityfocus.com
(205.206.231.26)
by mail.securityfocus.com with SMTP; 26 Aug 2003
20:03:38 -0000
Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
by outgoing2.securityfocus.com (Postfix) with QMQP id D000D8FAF3; Tue, 26 Aug 2003 14:02:41 -0600 (MDT) Mailing-List: contact
webappsec-help () securityfocus com; run by ezmlm
Precedence: bulk List-Id: <webappsec.list-id.securityfocus.com> List-Post: <mailto:webappsec () securityfocus com> List-Help: <mailto:webappsec-help () securityfocus com> List-Unsubscribe:
<mailto:webappsec-unsubscribe () securityfocus com>
List-Subscribe:
<mailto:webappsec-subscribe () securityfocus com>
Delivered-To: mailing list webappsec () securityfocus com Delivered-To: moderator for webappsec () securityfocus com Received: (qmail 24804 invoked from network); 26 Aug
2003 10:18:32 -0000
Date: Tue, 26 Aug 2003 18:19:16 +0200 From: "Sverre H. Huseby" <shh () thathost com> To: webappsec () securityfocus com Subject: Using Binary Search with SQL Injection Message-ID: <20030826161916.GA8708 () thathost com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Virus-Scanned: by AMaViS 0.3.12 When being bored, one often does strange and useless
things, such as
this: Using Binary Search with SQL Injection ====================================== Sverre H. Huseby shh () thathost com 2003-08-26 With SQL Injection one may perform many cool attacks
on a web site.
This text will not tell you how, as it assumes you're
already familiar
with advanced SQL Injection. Getting access to information using SQL Injection is
sometimes
trivial, and sometimes hard. How hard it is depends
on many factors,
such as: Is it possible to use UNION SELECT? Is it
possible to batch
requests in order to INSERT or UPDATE something based
on subselects?
The following presents a method to get access to
values of textual
database fields when neither batched queries nor UNION
SELECT will
help. [...] Read the rest of this text here:
http://shh.thathost.com/text/binary-search-sql-injection.txt
Sverre. -- shh () thathost com http://shh.thathost.com/
Current thread:
- Using Binary Search with SQL Injection Sverre H. Huseby (Aug 26)
- <Possible follow-ups>
- Re: Using Binary Search with SQL Injection dave (Aug 28)