WebApp Sec mailing list archives
RE: ODBC Injection
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Thu, 1 Dec 2005 09:23:17 +1300
Hey..
ODBC driver does not support the requested properties.
the script is trying to work with an unpopulated recordset. The code would look ' in theory ' similar to; ---------------------------------------- Set Conn = Server.CreateObject("ADODB.Connection") Set Rs = Server.CreateObject("ADODB.Recordset") Conn.Open dsn SQL = "SELECT foo FROM blah where something=" & request("sIdProduct") rs.open sql,conn response.write rs("FIELD") ---------------------------------------- As the result of the returned recordset is not checked the 'response.write' is attempting to work on an empty recordset. Brett Moore Network Intrusion Specialist, CTO Security-Assessment.com -----Original Message----- From: John Cobb [mailto:johnc () nobytes com] Sent: Thursday, 1 December 2005 12:39 a.m. To: webappsec () securityfocus com Subject: ODBC Injection Hello All, I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have found some injection: http://test.com/test.asp?sIdProduct=1 I get the following error when I insert alpha characters rather than numbers. I cannot manipulate this much, does anybody have any suggestions? Eg: http://test.com/test.asp?sIdProduct=test Database operations error: ODBC driver does not support the requested properties. SELECT * FROM Products WHERE idProduct = test ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /test.asp, line 135 Thanks John Cobb www.nobytes.com e-mail protected and scanned by Bizo Email Filter - powered by Advascan
Current thread:
- ODBC Injection John Cobb (Nov 30)
- Re: ODBC Injection John Bond (Nov 30)
- RE: ODBC Injection DAN MORRILL (Nov 30)
- RE: ODBC Injection Brett Moore (Nov 30)
- Re: ODBC Injection Maxime Ducharme (Nov 30)
- <Possible follow-ups>
- RE: ODBC Injection Lepore, Brian (Nov 30)
- RE: ODBC Injection LAROUCHE Francois (Dec 01)
- RE: ODBC Injection Auri Rahimzadeh (Dec 01)