WebApp Sec mailing list archives

RE: Simple to exploit SQL Injection ?

From: "Victor Chapela" <victor () sm4rt com>
Date: Mon, 28 Nov 2005 13:15:04 -0600

Jason,

I agree with Rich, it seems your ' is being escaped by adding a second one.
This should be interpreted by the database as a single quote within the
quoted string '...'. This is very difficult to escape. The error message is
very interesting though, you should not have gotten an error message in most
databases. Is this a MS SQL Server? Do you get an ODBC error? Is it Java,
PHP, ASP or ASPX? (it seems to be 
ADO.NET)

This error condition could prove to be very useful, if the database is not
recognizing two quotes as an escaped quote you may be able to get out of the
string.

You should try to find some inconsistency in the way the additional ' is
added. Try and see what happens if:
- You add more than one '
- You use the unicode equivalent %27
- You convert the POST to a GET by adding the parameters in the URL
- Use a proxy and see what other information is being sent in the form; any
hidden parameters?
- Is the additional quote being added through a Java script running on the
client side?
- Does the error occur in the same page that is validating and adding the
extra quote? if not, can you call the query page directly?

Good luck,
Victor

-----Original Message-----
From: Jason binger [mailto:cisspstudy () yahoo com] 
Sent: November 27, 2005 6:50 PM
To: webappsec () securityfocus com
Subject: Simple to exploit SQL Injection ?

I am reviewing a .Net web application. When entering xyz for 
a username and ' for a password into a form I receive the 
following stack trace (extract):

System.Exception: Can't Load DataReader using SQL
string: 'SELECT * FROM users WHERE username = 'xyz'
AND password = '''' -- Unclosed quotation mark before the 
character string '''. Line 1: Incorrect syntax near '''.

Now I would have thought this would be easy to exploit, but I 
can't bypass the logon page. xyz is a valid username. Any ideas?

Cheers

__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
http://www.sm4rt.com/links

Current thread:

Simple to exploit SQL Injection ? Jason binger (Nov 28)
- Re: Simple to exploit SQL Injection ? Eoin Keary (Nov 28)
- Re: Simple to exploit SQL Injection ? Yousef Syed (Nov 28)
- RE: Simple to exploit SQL Injection ? Rich Bergmann (Nov 28)
  - Re: Simple to exploit SQL Injection ? Dean H. Saxe (Nov 29)
- RE: Simple to exploit SQL Injection ? Victor Chapela (Nov 29)
- Re: Simple to exploit SQL Injection ? bryan allott (Nov 29)
- <Possible follow-ups>
- RE: Simple to exploit SQL Injection ? Haaland, Vegar Linge (Nov 28)
  - RE: Simple to exploit SQL Injection ? Pilon Mntry (Nov 29)
- RE: Simple to exploit SQL Injection ? Griffiths, Ian (Nov 28)
- RE: Simple to exploit SQL Injection ? LAROUCHE Francois (Nov 29)
- RE: Simple to exploit SQL Injection ? Matt Fisher (Nov 30)