WebApp Sec mailing list archives
RE: Simple to exploit SQL Injection ?
From: "Haaland, Vegar Linge" <Vegar.Linge.Haaland () palantir no>
Date: Mon, 28 Nov 2005 13:42:16 +0100
And you could try using: ' or ''=' As username and password. That will make the querry look like: SELECT * FROM users WHERE username = '' or ''='' AND password = '' or ''='' (Or anything that always is true; Some expamples: You could use: hi' or 'a'='a This will give you username = 'hi' or 'a'='a' This will "always" be true (if I real the querry right :P) , cause 'a' equals 'a' And so on. -----Original Message----- From: Yousef Syed [mailto:yousef.syed () gmail com] Sent: 28. november 2005 13:20 To: Jason binger Cc: webappsec () securityfocus com Subject: Re: Simple to exploit SQL Injection ? Hi Jason, Try the following Password: ' OR 1=1 -- That should give the following SQL: 'SELECT * FROM users WHERE username = 'xyz' AND password = '' OR 1=1 -- ' Since 1 always evaluates to 1, the rest of the SQL will be ignored and you should get the result you were expecting. Using the "--" comment, will stop anything else after this from being evaluated. That should stop you getting any syntax errors. ys -- Yousef Syed "One senior official said the consultancy "doesn't have the greatest of reputations among civil servants. They come and state the bleeding obvious using Powerpoint"." On 28/11/05, Jason binger <cisspstudy () yahoo com> wrote:
I am reviewing a .Net web application. When entering xyz for a username and ' for a password into a form I receive the following stack trace (extract): System.Exception: Can't Load DataReader using SQL string: 'SELECT * FROM users WHERE username = 'xyz' AND password = '''' -- Unclosed quotation mark before the character string '''. Line 1: Incorrect syntax near '''. Now I would have thought this would be easy to exploit, but I can't bypass the logon page. xyz is a valid username. Any ideas? Cheers __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Current thread:
- Simple to exploit SQL Injection ? Jason binger (Nov 28)
- Re: Simple to exploit SQL Injection ? Eoin Keary (Nov 28)
- Re: Simple to exploit SQL Injection ? Yousef Syed (Nov 28)
- RE: Simple to exploit SQL Injection ? Rich Bergmann (Nov 28)
- Re: Simple to exploit SQL Injection ? Dean H. Saxe (Nov 29)
- RE: Simple to exploit SQL Injection ? Victor Chapela (Nov 29)
- Re: Simple to exploit SQL Injection ? bryan allott (Nov 29)
- <Possible follow-ups>
- RE: Simple to exploit SQL Injection ? Haaland, Vegar Linge (Nov 28)
- RE: Simple to exploit SQL Injection ? Pilon Mntry (Nov 29)
- RE: Simple to exploit SQL Injection ? Griffiths, Ian (Nov 28)
- RE: Simple to exploit SQL Injection ? LAROUCHE Francois (Nov 29)
- RE: Simple to exploit SQL Injection ? Matt Fisher (Nov 30)