Penetration Testing mailing list archives

Re: SQL

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 20 Nov 2001 07:25:34 +0100

[Gary O'leary-Steele]

|   I am doing a pen test against a IIS 5 web server. The web server
|   requires a user name and password via a logon form. if a single
|   quote character is entered (username)the following error is
|   produced
|   
|   [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
|   before the character string '' and password=''.
|   
|   I remember reading somewhere that this can be used to gain further
|   access?  but i cant find the info.

Try to guess a user name, for instance "john", and enter the following
in the user name field:

  john' --

Leave the password empty (or enter anything).  The two dashes will
comment out the password test.

If the program fails to check that just a single record is returned,
you can try the following:

  ' or true --

You will then get logged in as the first user returned from the
database.


Sverre.

-- 
shh () thathost com                     Play my free Nerd Quiz at
http://shh.thathost.com/                http://nerdquiz.thathost.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

SQL Gary O'leary-Steele (Nov 19)
- Re: SQL Kevin Spett (Nov 20)
- Re: SQL root (Nov 20)
- Re: SQL neil-at-geekshanty-dot-com (Nov 20)
- Re: SQL Sverre H. Huseby (Nov 20)
- <Possible follow-ups>
- RE: SQL Holmes, Ben (Nov 20)
- RE: SQL Javier Fernández-Sanguino (Nov 20)
- RE: SQL Paul Midian (Nov 20)
- Re: SQL David . French (Nov 20)
- RE: SQL Andy Miller (Nov 21)
- Re: SQL Andrea secondote? (Nov 22)
- RE: SQL rudi carell (Nov 22)
- RE: SQL Javier Fernández-Sanguino (Nov 23)