Penetration Testing mailing list archives
RE: SQL Injection question
From: "Tibor Biro" <tiborbiro () rogers com>
Date: Mon, 5 Jan 2004 15:54:26 -0500
Hi Sasa, What you have is probably a blind SQL injection vulnerability. There are several good documents out there that can help you with clues and SQL constructs that give you some information. I found this document good for my purposes: http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf You can get anything without actually seeing the results, just follow the white rabbit. It will help if you script the requests as you will need a huge amount of requests to extract actual data. Google can also help you: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=blind+SQL+injecti on&meta= Regards, Tibor
-----Original Message----- From: Sasa Jusic [mailto:sjusic () pamela zesoi fer hr] Sent: January 5, 2004 7:54 AM To: 'pen-test () securityfocus com' Subject: SQL Injection question Hi group, I am conducting a Pen test for a customer, and last few days I have
been
struggling with their Web application running on Apache/mod_ssl Web
Server
using CGI interface. During the initial assessment I found several Web forms using POST method, so I began searching for SQL Injection
Vulnerabilities.
The problem is that forms are well protected, and they are only
accepting
numeric values, so I can't insert any malicious characters to test for
SQL
vulnerabilities. Then I discovered that the form input validation is
done
with JavaScript code on the client side, so I used the Paros proxy
tool
for intercepting and modification of submitted form values. In this way I managed to submit the arbitrary data to the server, and the server response was "500 Internal Server Error" without any useful information about
the
error reason or underlying database structure. I tried various combinations typical for SQL Injection assessment, but the response was always the same. On several places I have red that this type of error is one of the possible indicators of SQL Injection problems, so I would like to examine this problem more carefully. How can I know if this is really a SQL Injection problem or some other error? Is there any way I can elicit some more information about the structure of the database or any other useful information I can use
for
further testing? I don't have much practical experience with SQL Injection so I would really appreciate any help. Best regards, Sasa.
------------------------------------------------------------------------ --
-
------------------------------------------------------------------------ --
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- SQL Injection question Sasa Jusic (Jan 05)
- Re: SQL Injection question Jeff Williams @ Aspect (Jan 05)
- RE: SQL Injection question Yvan Boily (Jan 05)
- Re: SQL Injection question Adam Tuliper (Jan 05)
- Reverse Engineering thoughts n30 (Jan 07)
- Re: Reverse Engineering thoughts Riad S. Wahby (Jan 07)
- Re: Reverse Engineering thoughts johnny cyberpunk (Jan 07)
- RE: Reverse Engineering thoughts Brett Moore (Jan 07)
- Re: Reverse Engineering thoughts Adam Tuliper (Jan 07)
- RE: SQL Injection question Yvan Boily (Jan 05)
- Re: SQL Injection question Jeff Williams @ Aspect (Jan 05)
- RE: SQL Injection question Tibor Biro (Jan 05)
- <Possible follow-ups>
- RE: SQL Injection question Lachniet, Mark (Jan 05)
- RE: SQL Injection question Scovetta, Michael V (Jan 05)
- SQL injection question John (Jan 21)
- Re: SQL injection question .Saphyr (Jan 22)