RE: yet another injection question

["ronen" <ronen () avnet co il>]

Thanks Jacob.

However, It seems that I didn’t explained myself correctly. Thousand
apologies.

The request that creates the user has a 'FOO' field already, and I made
sure that this field will have an explicit value.

This was done using the credentials of an existing an privileged user
(the account was accessed with good old injection techniques).

Thanks again for the help and the quick response.

Ronen.

-----Original Message-----
From: Jacob Hurley [mailto:jacobh () aos5 com] 
Sent: Tuesday, April 15, 2003 5:02 PM
To: ronen; web-app-sec list
Subject: RE: yet another injection question




the problem is with your sql query to insert into the database, it's
telling you that FOO can't be NULL.. so append to you INSERT / VALUE
statement a value for FOO

looks like the hard part is over, if it was hard  :p


Jacob Hurley




-----Original Message-----
From: ronen [mailto:ronen () avnet co il]
Sent: Tuesday, April 15, 2003 2:49 AM
To: web-app-sec list
Subject: yet another injection question


Hello all,



While pen testing a web application, and bypassing the authentication
using a basic injection, I've tried to add a user to the database
through a built-in form.



However, when sending the URL, I received the follows:



[Microsoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value
NULL into column 'FOO', table 'BAR'; column does not allow nulls. INSERT
fails.





The request URL has a field named 'FOO', and I explicitly inserted a
value to that field.



I was logged in with a privileged user (seems to have the highest
privileges available ).



Any idea what's the reason for the mentioned ODBC error.



BTW, the system is a 'Microsoft SQL Server 7.00 - 7.00.1063' running on
Windows NT 5.0 (Build 2195: Service Pack 3).



Thanking you all in advance.



Ronen