RE: Simple to exploit SQL Injection ?

["Griffiths, Ian" <Ian.Griffiths () liv-coll ac uk>]

Two worries there - ' is going without any escape, plus it would appear
that passwords are stored in the db as plain text.

I don't have a specific exploit but it should be possible to terminate
the SQL string with ', add a semi-colon, put in some extra SQL, and a
further semi-colon to put what would have been the rest of of the SQL
query on a final, and possibly syntactically incorrect line.

Ian

-----Original Message-----
From: Jason binger [mailto:cisspstudy () yahoo com] 
Sent: 28 November 2005 00:50
To: webappsec () securityfocus com
Subject: Simple to exploit SQL Injection ?


I am reviewing a .Net web application. When entering
xyz for a username and ' for a password into a form I
receive the following stack trace (extract):

System.Exception: Can't Load DataReader using SQL
string: 'SELECT * FROM users WHERE username = 'xyz'
AND password = '''' -- Unclosed quotation mark before
the character string '''. Line 1: Incorrect syntax
near '''.

Now I would have thought this would be easy to
exploit, but I can't bypass the logon page. xyz is a
valid username. Any ideas?

Cheers


        
                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com