Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL Injection

From: "Sverre H. Huseby" <shh () thathost com>
Date: Sat, 8 Sep 2001 16:28:34 +0200
[Kevin Spett]

|   I would like to know if there are other ways of doing this.

You could look for a place where your input is stored in a databse
without validation, and insert a sub-select that picks up the
information you want.

Example: I was working my way through a system yesterday.  In this
system I could register new users.  On the user preferences page, I
could change my E-mail address.  Fortunately, the programmers had
forgotten to "wash" the input, so I was able to enter the following as
my E-mail address:

  ' + (SELECT password FROM users WHERE username='foobar') + '

The + signs are used for string concatenation in MS SQL Server.  After
entering this text, my E-mail field was updated to contain the
password of the user foobar.  (Long live clear text passwords! :) )

My input probably resultet in an SQL query that looks like this:

  UPDATE users
  SET email='' + (SELECT password FROM users WHERE username='foobar') + ''
             ------------------------------------------------------------
  WHERE username='sverre'

The underlined text is the "E-mail address" provided by me.

Hope this helps a litte bit.


Sverre.

-- 
shh () thathost com                     Try my Nerd Quiz at
http://shh.thathost.com/                http://nerdquiz.thathost.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: