Re: Checking for SQL Injection

["kevin horvath" <kevin.horvath () gmail com>]

Just to clarify when I say delay I meant what the tool is using for a
waitfor delay.  That is of course if this is what its using for its
blind sql injection.  so if its using a delay of 10 seconds you should
verify by doing the same command and see if you dont get a response
until the 10 second delay is over.  Also to clarify you need to
manually do this multiple times if your doing this over a WAN to make
sure latency isnt an issue since this is a time based attack.  Good
luck.

On Wed, Sep 3, 2008 at 4:17 PM, kevin horvath <kevin.horvath () gmail com> wrote:
> a couple of points here.  It could be using a time based injection
> (waitfor delay). Its possible that its injecting this into one of the
> vid parameters but you would need to decode/decrypt these parameters
> to see (or look at the tool and see what and how its doing its
> injecting. Its not doing it on the basic authorization so it must be
> the vid as the injection point.  But to verify this you need to know
> what the delay is and verify that it is working by doing these
> mulitple times (to take into account any delay over the WAN). So you
> should do this test manually to see if this is the case. It could also
> be comparing responses for differences but you need to verify this
> manually and try your own injection and compare to see if there is any
> difference (note burp suite is an excellent tool for this).
>
> Kevin
>
> On Mon, Sep 1, 2008 at 4:35 AM, GT GERONIMO, Frederick Joseph B.
> <fbgeronimo () globetel com ph> wrote:
> > Hello,
> >
> > I ran a tool to verify if a website had SQL Injection. The tool detected
> > Blind SQL Injection vulnerability. I have pasted the request and
> > response below.
> >
> > Would you say that the tool's evaluation is accurate?
> >
> > Is there anything that the web application can be doing to make this a
> > false-positive?
> >
> > Thanks.
> >
> >
> > HTTP REQUEST
> > ============
> >
> > GET /prototype03/vulnerable.php?vid=zJrt&act=viewed&page=0.01 HTTP/1.0
> > Accept: */*
> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
> > 1.1.4322)
> > Host: www.victim.com
> > Authorization: Basic dTI0Y29tcGg6PCEzIzw3PjlBQnVu
> > Cookie:
> > PHPSESSID=b4499547c0c4f399ba649181d5e67f5c;vid11=6512bd43d9caa6e02c990b0
> > a82652dca;vid2=c81e728d9d4c2f636f067f89cc14862c;vid4=a87ff679a2f3e71d918
> > 1a67b7542122c;vid8=c9f0f895fb98ab9159f51fd0297e236d;vid9=45c48cce2e2d7fb
> > dea1afc51c7c6ad26;vid7=8f14e45fceea167a5a36dedd4bea2543
> > Connection: Close
> > Pragma: no-cache
> >
> >
> > HTTP RESPONSE
> > =============
> >
> > HTTP/1.1 200 OK
> > Date: Fri, 29 Aug 2008 10:00:08 GMT
> > Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
> > mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
> > PHP/5.2.6
> > X-Powered-By: PHP/5.2.6
> > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> > pre-check=0
> > Pragma: no-cache
> > Connection: close
> > Content-Type: text/html
> >
> > This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom 
> > it is addressed and may contain information that is privileged, proprietary, confidential and exempt from 
> > disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying 
> > of this communication is strictly prohibited. If you have received this communication in error, please notify the 
> > sender and delete this E-mail message immediately.
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Top 5 Common Mistakes in
> > Securing Web Applications
> > Get 45 Min Video and PPT Slides
> >
> > www.cenzic.com/landing/securityfocus/hackinar
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------