WebApp Sec mailing list archives
RE: Simple to exploit SQL Injection ?
From: "Griffiths, Ian" <Ian.Griffiths () liv-coll ac uk>
Date: Mon, 28 Nov 2005 12:42:44 -0000
Two worries there - ' is going without any escape, plus it would appear that passwords are stored in the db as plain text. I don't have a specific exploit but it should be possible to terminate the SQL string with ', add a semi-colon, put in some extra SQL, and a further semi-colon to put what would have been the rest of of the SQL query on a final, and possibly syntactically incorrect line. Ian -----Original Message----- From: Jason binger [mailto:cisspstudy () yahoo com] Sent: 28 November 2005 00:50 To: webappsec () securityfocus com Subject: Simple to exploit SQL Injection ? I am reviewing a .Net web application. When entering xyz for a username and ' for a password into a form I receive the following stack trace (extract): System.Exception: Can't Load DataReader using SQL string: 'SELECT * FROM users WHERE username = 'xyz' AND password = '''' -- Unclosed quotation mark before the character string '''. Line 1: Incorrect syntax near '''. Now I would have thought this would be easy to exploit, but I can't bypass the logon page. xyz is a valid username. Any ideas? Cheers __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Current thread:
- Simple to exploit SQL Injection ? Jason binger (Nov 28)
- Re: Simple to exploit SQL Injection ? Eoin Keary (Nov 28)
- Re: Simple to exploit SQL Injection ? Yousef Syed (Nov 28)
- RE: Simple to exploit SQL Injection ? Rich Bergmann (Nov 28)
- Re: Simple to exploit SQL Injection ? Dean H. Saxe (Nov 29)
- RE: Simple to exploit SQL Injection ? Victor Chapela (Nov 29)
- Re: Simple to exploit SQL Injection ? bryan allott (Nov 29)
- <Possible follow-ups>
- RE: Simple to exploit SQL Injection ? Haaland, Vegar Linge (Nov 28)
- RE: Simple to exploit SQL Injection ? Pilon Mntry (Nov 29)
- RE: Simple to exploit SQL Injection ? Griffiths, Ian (Nov 28)
- RE: Simple to exploit SQL Injection ? LAROUCHE Francois (Nov 29)
- RE: Simple to exploit SQL Injection ? Matt Fisher (Nov 30)