Penetration Testing mailing list archives
Re: [PEN-TEST] Hacking SQL queries ...
From: "Aaron C. Newman" <aaron () NEWMAN-FAMILY COM>
Date: Wed, 7 Feb 2001 22:27:55 -0500
There IS actually an input filter on %input%. That is why the input 'test becomes the output ''test in the SQL query. Doubling the quotes causes just about any database engine to view the quote as part of the parameter rather than as the end of the parameter. So exploiting the issue brought up by rfp is a bit more difficult. In this case you need a way to outsmart the input filter and insert a single quote without it being doubled. How exactly to escape out the second quote added by the input filter is dependent on what system, database, network software being used.
-----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Philip Wagenaar Sent: Wednesday, February 07, 2001 7:34 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Hacking SQL queries ... Be sure to put an input filter on %input%. If somebody enters a string containing ' it will crash the query. -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Aurobindo Sundaram (+1 512 918 1390) Sent: woensdag 7 februari 2001 21:08 To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Hacking SQL queries ... I have to audit a bit of code that does the following SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name where input is the user-input. When I try the input 'test, the code generated is SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name Since I'm an SQL newbie, I'd be curious to know how someone could supply the appropriate input to do bad things on the SQL server - either in R/O or R/W mode If there are SQL hacking pages someplace, a link would be appreciated Thanks, Robin
Current thread:
- Re: [PEN-TEST] Expand right under Win2K Gary Flynn (Feb 06)
- Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Feb 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Expand right under Win2K Reinder Wiersma (Feb 07)
- [PEN-TEST] Hacking SQL queries ... Aurobindo Sundaram (+1 512 918 1390) (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Nicolas GREGOIRE (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Florian Specker (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Philip Wagenaar (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 10)
- [PEN-TEST] Hacking SQL queries ... Aurobindo Sundaram (+1 512 918 1390) (Feb 07)