WebApp Sec mailing list archives

Re: SQL injection

From: exon <exon () home se>
Date: Wed, 19 Jan 2005 10:11:05 +0100

Francesco wrote:

I have just discovered that I can successfully inject the following SQL:

' OR 1=1; --

into the Username field of a logon form on a "secure" site in my
corporate network (Windows 2000, SQL 7.0).  When I do this, leaving the
password field blank, I am logged into the system as the first user in
the "Users" table in the DB which is being authenticated against.  LOL.

If I can get that far, can't I theoretically:

' OR 1=1; DELETE Users; --


With proper SQL, yes (the above is not).

or something similar?  Couldn't I EXEC some system sprocs this way too?


Not normally, no.

How much damage/rooting can be done here?

No rooting, but you should be able to create a privileged account foryourself or update the password of some other user so you can use that.Google for SQL injections. You should find about 20000 pages.

 I need to present a detailed
report to the admins.


Yeah, right.

Thanks,

Francesco
Francesco Sanfilippo
-------------------------------------------
Blackcoil Productions - http://blackcoil.comURL123 Link Service - http://url123.com

Current thread:

SQL injection Francesco (Jan 19)
- Re: SQL injection James Riden (Jan 23)
- Re: SQL injection Josh Zlatin-Amishav (Jan 23)
- RE: SQL injection John McGuire (Jan 23)
- Re: SQL injection exon (Jan 23)
- Re: SQL injection Serg Belokamen (Jan 23)
- Re: SQL injection Cory Foy (Jan 23)
- Re: SQL injection nummish (Jan 23)