Penetration Testing mailing list archives

Re: SQL Injection question

From: "Adam Tuliper" <amt () gecko-software com>
Date: Mon, 05 Jan 2004 17:10:25 -0500

Hi Sasa,
You mentioned it gave you a:
"500 Internal Server Error" without any useful information
about the error reason or underlying database structure."

Do you by any chance have "show friendly http error
messages" checked on in the IE settings?


Adam Tuliper
Gecko Software LLC.

----- Original Message -----
From: Sasa Jusic
To: 'pen-test () securityfocus com'
Sent: Monday, January 05, 2004 7:53 AM
Subject: SQL Injection question

Hi group,

I am conducting a Pen test for a customer, and last few
days I have been
struggling with their Web application running on
Apache/mod_ssl Web Server
using CGI interface. During the initial assessment I
found several Web forms
using POST method, so I began searching for SQL Injection
Vulnerabilities.

The problem is that forms are well protected, and they
are only accepting
numeric values, so I can't insert any malicious
characters to test for SQL
vulnerabilities. Then I discovered that the form input
validation is done
with JavaScript code on the client side, so I used the
Paros proxy tool for
intercepting and modification of submitted form values.
In this way I
managed to submit the arbitrary data to the server, and
the server response
was "500 Internal Server Error" without any useful
information about the
error reason or underlying database structure. I tried
various combinations
typical for SQL Injection assessment, but the response
was always the same.

On several places I have red that this type of error is
one of the possible
indicators of SQL Injection problems, so I would like to
examine this
problem more carefully.

How can I know if this is really a SQL Injection problem
or some other
error? Is there any way I can elicit some more
information about the
structure of the database or any other useful information
I can use for
further testing?

I don't have much practical experience with SQL Injection
so I would really
appreciate any help.

Best regards,

Sasa.

---------------------------------------------------------------------------

----------------------------------------------------------------------------

---------------------------------------------------------------------------

----------------------------------------------------------------------------

---------------------------------------------------------------------------

----------------------------------------------------------------------------


---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

SQL Injection question Sasa Jusic (Jan 05)
- Re: SQL Injection question Jeff Williams @ Aspect (Jan 05)
  - RE: SQL Injection question Yvan Boily (Jan 05)
    - Re: SQL Injection question Adam Tuliper (Jan 05)
  - Reverse Engineering thoughts n30 (Jan 07)
    - Re: Reverse Engineering thoughts Riad S. Wahby (Jan 07)
    - Re: Reverse Engineering thoughts johnny cyberpunk (Jan 07)
    - RE: Reverse Engineering thoughts Brett Moore (Jan 07)
    - Re: Reverse Engineering thoughts Adam Tuliper (Jan 07)
- RE: SQL Injection question Tibor Biro (Jan 05)
- <Possible follow-ups>
- RE: SQL Injection question Lachniet, Mark (Jan 05)
- RE: SQL Injection question Scovetta, Michael V (Jan 05)
- SQL injection question John (Jan 21)
  - Re: SQL injection question .Saphyr (Jan 22)