RE: SQL Injection question

["Tibor Biro" <tiborbiro () rogers com>]

Hi Sasa,

What you have is probably a blind SQL injection vulnerability. There are
several good documents out there that can help you with clues and SQL
constructs that give you some information. 

I found this document good for my purposes:
http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf

You can get anything without actually seeing the results, just follow
the white rabbit. It will help if you script the requests as you will
need a huge amount of requests to extract actual data.

Google can also help you:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=blind+SQL+injecti
on&meta=

Regards,
Tibor

> -----Original Message-----
> From: Sasa Jusic [mailto:sjusic () pamela zesoi fer hr]
> Sent: January 5, 2004 7:54 AM
> To: 'pen-test () securityfocus com'
> Subject: SQL Injection question
>
> Hi group,
>
> I am conducting a Pen test for a customer, and last few days I have
been
> struggling with their Web application running on Apache/mod_ssl Web
Server
> using CGI interface. During the initial assessment I found several Web
> forms
> using POST method, so I began searching for SQL Injection
Vulnerabilities.
> The problem is that forms are well protected, and they are only
accepting
> numeric values, so I can't insert any malicious characters to test for
SQL
> vulnerabilities. Then I discovered that the form input validation is
done
> with JavaScript code on the client side, so I used the Paros proxy
tool
> for
> intercepting and modification of submitted form values. In this way I
> managed to submit the arbitrary data to the server, and the server
> response
> was "500 Internal Server Error" without any useful information about
the
> error reason or underlying database structure. I tried various
> combinations
> typical for SQL Injection assessment, but the response was always the
> same.
>
> On several places I have red that this type of error is one of the
> possible
> indicators of SQL Injection problems, so I would like to examine this
> problem more carefully.
>
> How can I know if this is really a SQL Injection problem or some other
> error? Is there any way I can elicit some more information about the
> structure of the database or any other useful information I can use
for
> further testing?
>
> I don't have much practical experience with SQL Injection so I would
> really
> appreciate any help.
>
> Best regards,
>
> Sasa.
------------------------------------------------------------------------
--
> -
------------------------------------------------------------------------
--
> --


---------------------------------------------------------------------------
----------------------------------------------------------------------------