WebApp Sec mailing list archives

RE: Simple to exploit SQL Injection ?

From: Pilon Mntry <pilonmntry () yahoo com>
Date: Mon, 28 Nov 2005 06:00:38 -0800 (PST)


If I understand correctly, it seems, they escape
quotes on the password field. 
Like in PHP, when magic_quotes_gpc is on AND strings
are used as sql params, SQL injection is impossible.
here even -- trick won't work.
You should try to tamper login parameter.
-pilon

--- "Haaland, Vegar Linge"
<Vegar.Linge.Haaland () palantir no> wrote:

 And you could try using:
' or ''='
As username and password. That will make the querry
look like:
SELECT * FROM users WHERE username = '' or ''='' AND
password = '' or
''=''
(Or anything that always is true;
Some expamples:
You could use: hi' or 'a'='a
This will give you username = 'hi' or 'a'='a'
This will "always" be true (if I real the querry
right :P) , cause 'a'
equals 'a'
And so on.

-----Original Message-----
From: Yousef Syed [mailto:yousef.syed () gmail com] 
Sent: 28. november 2005 13:20
To: Jason binger
Cc: webappsec () securityfocus com
Subject: Re: Simple to exploit SQL Injection ?

Hi Jason,
Try the following Password:
' OR 1=1 --

That should give the following SQL:
'SELECT *
FROM users
WHERE username = 'xyz'
AND password = '' OR 1=1 -- '

Since 1 always evaluates to 1, the rest of the SQL
will be ignored and
you should get the result you were expecting. Using
the "--" comment,
will stop anything else after this from being
evaluated. That should
stop you getting any syntax errors.

ys

--
Yousef Syed
"One senior official said the consultancy "doesn't
have the greatest of
reputations among civil servants. They come and
state the bleeding
obvious using Powerpoint"."

On 28/11/05, Jason binger <cisspstudy () yahoo com>
wrote:

I am reviewing a .Net web application. When

entering xyz for a

username and ' for a password into a form I

receive the following

stack trace (extract):

System.Exception: Can't Load DataReader using SQL
string: 'SELECT * FROM users WHERE username =

'xyz'

AND password = '''' -- Unclosed quotation mark

before the character

string '''. Line 1: Incorrect syntax near '''.

Now I would have thought this would be easy to

exploit, but I can't

bypass the logon page. xyz is a valid username.

Any ideas?


Cheers




__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005

http://mail.yahoo.com




                
__________________________________________
Yahoo! DSL  Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com

Current thread:

Simple to exploit SQL Injection ? Jason binger (Nov 28)
- Re: Simple to exploit SQL Injection ? Eoin Keary (Nov 28)
- Re: Simple to exploit SQL Injection ? Yousef Syed (Nov 28)
- RE: Simple to exploit SQL Injection ? Rich Bergmann (Nov 28)
  - Re: Simple to exploit SQL Injection ? Dean H. Saxe (Nov 29)
- RE: Simple to exploit SQL Injection ? Victor Chapela (Nov 29)
- Re: Simple to exploit SQL Injection ? bryan allott (Nov 29)
- <Possible follow-ups>
- RE: Simple to exploit SQL Injection ? Haaland, Vegar Linge (Nov 28)
  - RE: Simple to exploit SQL Injection ? Pilon Mntry (Nov 29)
- RE: Simple to exploit SQL Injection ? Griffiths, Ian (Nov 28)
- RE: Simple to exploit SQL Injection ? LAROUCHE Francois (Nov 29)
- RE: Simple to exploit SQL Injection ? Matt Fisher (Nov 30)