RE: sql injection - missed it at bh/defcon + follow on query.

[Paul Midian <paul.midian () insight co uk>]

I got thro' a login by putting

 s') OR ('s' = 's

as both username and password.  can't remember exactly but they were doing a
select from table where username=<input> and password=<input>.  Worked for
me!

As a follow on - I'm doing another job and am having difficulty injecting
sql - I keep getting errors like 'SQL command not properly ended' or
'unterminated string' and stuff.  Anyone got any ideas?  It's Oracle on the
backend from IIS BTW.  I've tried various combo's of quotes, strings,
cr/lf's etc but there nothing going on.

Thanks,

Paul
-----Original Message-----
From: nemo latin [mailto:nemo_old () yahoo com]
Sent: 07 August 2001 20:04
To: pen-test () securityfocus com
Subject: sql injection - missed it at bh/defcon


All,

I missed the SQL injection talks at bh/defcon - must
have been my fault - I was told that they were good
presentations.  However I did see in the CD a glimpse
of some injection techniques that I tried to follow as
below.

I have a internal WEB app that has the following
characteristics:

iis 4.0 (with all patches) - I even tried the old %2e
asp display the source code and and all variants of
the showcode.asp !  darn those security conscious
admins !

input screen is javascript with a form - I can view
the input page to see the script !

form requires 2 inputs
login & password

placing a  '  in the login box produces the following
messages

Microsoft OLE DB Provider for ODBC Drivers error
'80040e14' 

[Microsoft][ODBC SQL Server Driver][SQL
Server]Unclosed quote before the character string '''.


/Login.asp, line 73 

They must not be screening out the  '  and thanks to
the error messages I know that the result is going to
be passed to an SQl server.  What next ??

I tried

'--  

in the login box and  & got a message saying that the
login name was not found

I tried

login name =   valid name
with a password of

' union select * from users where admin=1-

and the message sez the password is wrong for the
login.

I also tried

' union select * from users where admin=1-

in the login field and received a message saying that
the login was longer than 7 characters

Perhaps I am missing some intermediate step(s) ??

Any suggestions ??






__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


------------Insight Consulting Limited--------------------------------
Insight Consulting Limited is a leading specialist provider of independent services in all aspects of information and 
communications security, business continuity and risk management from consultancy, implementation, testing and training 
to recruitment, research and outsourcing.
---------------------Disclaimer----------------------------------------
Internet communications are not secure and therefore Insight Consulting Limited does not accept legal responsibility 
for the contents of this message.  Any views or opinions presented are solely those of the author and do not 
necessarily represent those of Insight Consulting Limited unless otherwise specifically stated. If this message is 
received by anyone other than the addressee, please notify the sender and then delete the message and any attachments 
from your computer.
-----------------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/