sql injection - missed it at bh/defcon

[nemo latin <nemo_old () yahoo com>]

All,

I missed the SQL injection talks at bh/defcon - must
have been my fault - I was told that they were good
presentations.  However I did see in the CD a glimpse
of some injection techniques that I tried to follow as
below.

I have a internal WEB app that has the following
characteristics:

iis 4.0 (with all patches) - I even tried the old %2e
asp display the source code and and all variants of
the showcode.asp !  darn those security conscious
admins !

input screen is javascript with a form - I can view
the input page to see the script !

form requires 2 inputs
login & password

placing a  '  in the login box produces the following
messages

Microsoft OLE DB Provider for ODBC Drivers error
'80040e14' 

[Microsoft][ODBC SQL Server Driver][SQL
Server]Unclosed quote before the character string '''.


/Login.asp, line 73 

They must not be screening out the  '  and thanks to
the error messages I know that the result is going to
be passed to an SQl server.  What next ??

I tried

'--  

in the login box and  & got a message saying that the
login name was not found

I tried

login name =   valid name
with a password of

‘ union select * from users where admin=1—

and the message sez the password is wrong for the
login.

I also tried

‘ union select * from users where admin=1—

in the login field and received a message saying that
the login was longer than 7 characters

Perhaps I am missing some intermediate step(s) ??

Any suggestions ??






__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/