WebApp Sec mailing list archives

RE: Simple to exploit SQL Injection ?

From: "Matt Fisher" <mfisher () spidynamics com>
Date: Tue, 29 Nov 2005 20:27:06 -0500

If you're getting that stack trace and you're NOT on the local machine,
,then someone misconfig'd the web.config.  Take a look at the Custom
Errors heading and make sure they're set to either ON or REMOTE.  If
they're OFF, then anyone who generates a 500 will get a stack trace or
worse.   I knew a dude once who studied up and studied up on SQL
Injection then asked me to test his site.  While his queries were all
tight, he misconf'd the custom errors, so I got all his source code
anyhow.


Here's an interesting article on accidentally pushing debug code to
production too.  Definitely something to be avoided.  
http://www.aspnetresources.com/articles/debug_code_in_production.aspx

-----Original Message-----
From: bryan allott [mailto:homegrown () bryanallott net] 
Sent: Monday, November 28, 2005 2:43 PM
To: Jason binger; webappsec () securityfocus com
Subject: Re: Simple to exploit SQL Injection ?

just a by-the-by...
although not a successful SQL injection attack, the error 
message you're receiving as a public user already tell you a 
little about their database...
Probably not too much to go with, but a better exception 
message would have
been:
"Invalid credentials" or something equally generic and less revealing.
so probably also be on the lookout for other places where 
more information is displayed than usual..
other famous .Net parser and other jit compile errors tell u 
quite a bit about the filesystem :)

----- Original Message -----
From: "Jason binger" <cisspstudy () yahoo com>
To: <webappsec () securityfocus com>
Sent: Monday, November 28, 2005 2:49 AM
Subject: Simple to exploit SQL Injection ?

I am reviewing a .Net web application. When entering
xyz for a username and ' for a password into a form I
receive the following stack trace (extract):

System.Exception: Can't Load DataReader using SQL
string: 'SELECT * FROM users WHERE username = 'xyz'
AND password = '''' -- Unclosed quotation mark before
the character string '''. Line 1: Incorrect syntax
near '''.

Now I would have thought this would be easy to
exploit, but I can't bypass the logon page. xyz is a
valid username. Any ideas?

Cheers

__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.8/184 - Release 
Date: 27-Nov-05

Current thread:

Re: Simple to exploit SQL Injection ?, (continued)
- Re: Simple to exploit SQL Injection ? Eoin Keary (Nov 28)
- Re: Simple to exploit SQL Injection ? Yousef Syed (Nov 28)
- RE: Simple to exploit SQL Injection ? Rich Bergmann (Nov 28)
  - Re: Simple to exploit SQL Injection ? Dean H. Saxe (Nov 29)
- RE: Simple to exploit SQL Injection ? Victor Chapela (Nov 29)
- Re: Simple to exploit SQL Injection ? bryan allott (Nov 29)
- RE: Simple to exploit SQL Injection ? Haaland, Vegar Linge (Nov 28)
  - RE: Simple to exploit SQL Injection ? Pilon Mntry (Nov 29)
- RE: Simple to exploit SQL Injection ? Griffiths, Ian (Nov 28)
- RE: Simple to exploit SQL Injection ? LAROUCHE Francois (Nov 29)
- RE: Simple to exploit SQL Injection ? Matt Fisher (Nov 30)