WebApp Sec mailing list archives
Re: ODBC Injection
From: "Maxime Ducharme" <mducharme () cybergeneration com>
Date: Wed, 30 Nov 2005 14:37:36 -0500
Hello John Try the new line trick (%0A), i remember this helped me for a coldfusion + access pen testing, dunno if it'll be good for you : http://test.com/test.asp?sIdProduct=1%0AINSERT INTO products ('odbc injected product'); you may also try CR trick (%0D), results depends on the OS HTH Maxime Ducharme Programmeur / Spécialiste en sécurité réseau ----- Original Message ----- From: "John Cobb" <johnc () nobytes com> To: <webappsec () securityfocus com> Sent: Wednesday, November 30, 2005 6:38 AM Subject: ODBC Injection
Hello All, I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have found some injection: http://test.com/test.asp?sIdProduct=1 I get the following error when I insert alpha characters rather than numbers. I cannot manipulate this much, does anybody have any suggestions? Eg: http://test.com/test.asp?sIdProduct=test Database operations error: ODBC driver does not support the requested properties. SELECT * FROM Products WHERE idProduct = test ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /test.asp, line 135 Thanks John Cobb www.nobytes.com
Current thread:
- ODBC Injection John Cobb (Nov 30)
- Re: ODBC Injection John Bond (Nov 30)
- RE: ODBC Injection DAN MORRILL (Nov 30)
- RE: ODBC Injection Brett Moore (Nov 30)
- Re: ODBC Injection Maxime Ducharme (Nov 30)
- <Possible follow-ups>
- RE: ODBC Injection Lepore, Brian (Nov 30)
- RE: ODBC Injection LAROUCHE Francois (Dec 01)
- RE: ODBC Injection Auri Rahimzadeh (Dec 01)