Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

SQL Injection - SQL query comments

From: suntzu123 () gmail com
Date: 17 Dec 2005 02:23:25 -0000
Hi list,

recently we came across a client engagement related to client's web site. During the assessment, it turned out that a 
PHP search page was possibly 

vulnerable to an sql injection, given that if we feed the search field of the page with the following classic input 
"hi' or 1=1" (without quotes), it returns the 

SQL query of the underlying PHP page (the user input goes between the %% pair in the LIKE clause):


SELECT ID, NAME, CLUB_CATEGORY_ID, ADDRESS, DRINK_PRICE, AREA_ID, PHONES, ARTISTS FROM CLUB WHERE ACTIVE = 1 AND NAME 

LIKE '%hi' or 1=1%' AND ID >0 ORDER BY NAME

The issue is that, when I tried to feed with a statement such as "' UNION SELECT username FROM USERS WHERE username 
like '%' --" (without the 

double quotes, and focusing to get a list of user names commenting out the rest of the query), we ended up in the 
following error: 

Error during SQL execution
SELECT ID, NAME, CLUB_CATEGORY_ID, ADDRESS, DRINK_PRICE, AREA_ID, PHONES, ARTISTS FROM CLUB WHERE ACTIVE = 1 AND NAME 

LIKE '%' UNION SELECT username FROM USERS WHERE username like '%' --

Given that the assumption that MySQL is running behind this PHP page, we failed to get the usernames from the MySQL 
system table "users"; the 

obvious result from this output is that the comments did not work as intended.

Have you ever faced such a situation ? Reading the documentation of all major databases (MS SQL, Oracle, MySQL, 
Informix, Ingres, Postgres, etc) it 

turns out that all of these databases should implement the univeral "--" commenting mechanism in their SQL queries. 

What am I missing here ??

Thanks in advance for your help,

st


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: