Penetration Testing mailing list archives
RE: How to evade white spaces in a SQL injection
From: "Jeff Bryner" <jeff () jeffbryner com>
Date: Mon, 29 Mar 2004 22:08:43 -0800
Tough to give more without specifics but you could aim for a query like: select * from users where useid=useid+1 or select * from users where useid=''+1 The 2nd one is more likely since they're proably adding the ' character to whatever you enter. So you'd enter '+1-- as the username. The first ' ends the ' they add, the +1 tells sql to add 1 to a character field, which it can't do, the -- comments out the remainder of the query so it doesn't get parsed. SQL will then return an error telling you it can't convert some valid username to an int to complete your request for adding 1 to the username. For example in sql try the following queries and see the return: select * from sysusers where user=user+1 select * from sysusers where user=''+1 You'll get a message telling you that it can't convert some username to int. This will tell you a valid username, then you go for a password..then you're in! Jeff. -----Original Message----- From: Falcifer [mailto:falcifer2001 () yahoo es] Sent: Thursday, March 25, 2004 4:35 PM To: jeff () jeffbryner com Cc: pen-test () securityfocus com Subject: Re: How to evade white spaces in a SQL injection Sorry, but i dont understand it. Can you explain it a bit more; Suppous that the original query is: select * from users where useid=&my_user_without_spaces and password=&password where &my_user_without_spaces and &password where the inputs submitted by the webform but both vars without spaces; Thanks El jue, 25-03-2004 a las 18:13, Jeff Bryner escribió:
--- Falcifer <falcifer2001 () yahoo es> wrote:Hi, I've one aplication coded on asp with a login form and the only character that it validates its the withe space. Can i perform a sql injection on it? how?SQL is nice enough to do some automatic parsing for you..so select''+@@version will work. Of course if the validation is client side, just bypass it. ===== Jeff ----------------------- You... you can't dump me! I'm using your name for all my passwords! What
exactly am I supposed to do about that!?
- Justin Simoni __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html
--------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- How to evade white spaces in a SQL injection Falcifer (Mar 25)
- Re: How to evade white spaces in a SQL injection Jeff Bryner (Mar 25)
- Re: How to evade white spaces in a SQL injection Falcifer (Mar 26)
- RE: How to evade white spaces in a SQL injection Jeff Bryner (Mar 30)
- Re: How to evade white spaces in a SQL injection Falcifer (Mar 26)
- Re: How to evade white spaces in a SQL injection Javier Fernandez-Sanguino (Mar 26)
- Re: How to evade white spaces in a SQL injection Jeff Bryner (Mar 25)