WebApp Sec mailing list archives

Re: ODBC Injection

From: John Bond <john.r.bond () gmail com>
Date: Wed, 30 Nov 2005 12:24:55 +0000

This allready gives out a lot of info, table name and a coloum name. 
but i wonder if you could also tack some more sql on the end

e.g
 http://test.com/test.asp?sIdProduct=1%20OR1%3D1%20UNION%20SELECT%20%2A%20FROM%20Products
i.e.
SELECT * FROM Products WHERE idProduct = 1 OR 1=1 UNION SELECT * FROM Products

you should check that the parameter is a valid int before using it.

On 30/11/05, John Cobb <johnc () nobytes com> wrote:

Hello All,

I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have
found some injection:

http://test.com/test.asp?sIdProduct=1

I get the following error when I insert alpha characters rather than
numbers.
I cannot manipulate this much, does anybody have any suggestions?

Eg:

http://test.com/test.asp?sIdProduct=test


Database operations error:

ODBC driver does not support the requested properties.

SELECT * FROM Products WHERE idProduct = test

ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/test.asp, line 135

Thanks

John Cobb
www.nobytes.com

Current thread:

ODBC Injection John Cobb (Nov 30)
- Re: ODBC Injection John Bond (Nov 30)
- RE: ODBC Injection DAN MORRILL (Nov 30)
- RE: ODBC Injection Brett Moore (Nov 30)
- Re: ODBC Injection Maxime Ducharme (Nov 30)
- <Possible follow-ups>
- RE: ODBC Injection Lepore, Brian (Nov 30)
- RE: ODBC Injection LAROUCHE Francois (Dec 01)
- RE: ODBC Injection Auri Rahimzadeh (Dec 01)