WebApp Sec mailing list archives
RE: Simple to exploit SQL Injection ?
From: "Victor Chapela" <victor () sm4rt com>
Date: Mon, 28 Nov 2005 13:15:04 -0600
Jason, I agree with Rich, it seems your ' is being escaped by adding a second one. This should be interpreted by the database as a single quote within the quoted string '...'. This is very difficult to escape. The error message is very interesting though, you should not have gotten an error message in most databases. Is this a MS SQL Server? Do you get an ODBC error? Is it Java, PHP, ASP or ASPX? (it seems to be ADO.NET) This error condition could prove to be very useful, if the database is not recognizing two quotes as an escaped quote you may be able to get out of the string. You should try to find some inconsistency in the way the additional ' is added. Try and see what happens if: - You add more than one ' - You use the unicode equivalent %27 - You convert the POST to a GET by adding the parameters in the URL - Use a proxy and see what other information is being sent in the form; any hidden parameters? - Is the additional quote being added through a Java script running on the client side? - Does the error occur in the same page that is validating and adding the extra quote? if not, can you call the query page directly? Good luck, Victor
-----Original Message----- From: Jason binger [mailto:cisspstudy () yahoo com] Sent: November 27, 2005 6:50 PM To: webappsec () securityfocus com Subject: Simple to exploit SQL Injection ? I am reviewing a .Net web application. When entering xyz for a username and ' for a password into a form I receive the following stack trace (extract): System.Exception: Can't Load DataReader using SQL string: 'SELECT * FROM users WHERE username = 'xyz' AND password = '''' -- Unclosed quotation mark before the character string '''. Line 1: Incorrect syntax near '''. Now I would have thought this would be easy to exploit, but I can't bypass the logon page. xyz is a valid username. Any ideas? Cheers __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com http://www.sm4rt.com/links
Current thread:
- Simple to exploit SQL Injection ? Jason binger (Nov 28)
- Re: Simple to exploit SQL Injection ? Eoin Keary (Nov 28)
- Re: Simple to exploit SQL Injection ? Yousef Syed (Nov 28)
- RE: Simple to exploit SQL Injection ? Rich Bergmann (Nov 28)
- Re: Simple to exploit SQL Injection ? Dean H. Saxe (Nov 29)
- RE: Simple to exploit SQL Injection ? Victor Chapela (Nov 29)
- Re: Simple to exploit SQL Injection ? bryan allott (Nov 29)
- <Possible follow-ups>
- RE: Simple to exploit SQL Injection ? Haaland, Vegar Linge (Nov 28)
- RE: Simple to exploit SQL Injection ? Pilon Mntry (Nov 29)
- RE: Simple to exploit SQL Injection ? Griffiths, Ian (Nov 28)
- RE: Simple to exploit SQL Injection ? LAROUCHE Francois (Nov 29)
- RE: Simple to exploit SQL Injection ? Matt Fisher (Nov 30)