RE: ODBC Injection

["LAROUCHE Francois" <Francois.Larouche () accorservices com>]

> > http://test.com/test.asp?sIdProduct=1%0AINSERT INTO products ('odbc >>injected product');

If Maxime's suggestion with the LF or CR hexa characters could be a good trick, I don't think it's good to give an 
example with INSERT INTO to people here. Or even DELETE, we don't know if people use those tests in a prod environment, 
and we most definitely don't know what will happen if the insertion succeed on the table, besides leaving tracks or 
junk in the database behind you. No harm done Maxime, but just thought it was important to mention.

I would range with Brett Moore's analysis with the fact that you get no result and you try to display it right away, 
classical mistake.

But most definitely there is something odd in the SQL statement... Since it seems it only expects numerical data, try 
to inject this first:

http://test.com/test.asp?sIdProduct=1

Look at the product displayed, then try:

http://test.com/test.asp?sIdProduct=2

Look now at the product, finally try:

http://test.com/test.asp?sIdProduct=1%2b1

If you get back the product number 2 it means you can inject SQL.

And like I mentioned the last time I wrote here, if you don't find anything there try somewhere else where it expects a 
string data. It seems this app has been coded weirdly so you have fair chance to find something else...

Good luck

François Larouche


-----Original Message-----
From: Maxime Ducharme [mailto:mducharme () cybergeneration com]
Sent: Wednesday, November 30, 2005 8:38 PM
To: John Cobb; webappsec () securityfocus com
Subject: Re: ODBC Injection


Hello John

Try the new line trick (%0A), i remember this helped
me for a coldfusion + access pen testing,
dunno if it'll be good for you :

http://test.com/test.asp?sIdProduct=1%0AINSERT INTO products ('odbc injected
product');

you may also try CR trick (%0D), results depends on the OS

HTH

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message -----
From: "John Cobb" <johnc () nobytes com>
To: <webappsec () securityfocus com>
Sent: Wednesday, November 30, 2005 6:38 AM
Subject: ODBC Injection


> Hello All,
>
> I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have
> found some injection:
>
> http://test.com/test.asp?sIdProduct=1
>
> I get the following error when I insert alpha characters rather than
> numbers.
> I cannot manipulate this much, does anybody have any suggestions?
>
> Eg:
>
> http://test.com/test.asp?sIdProduct=test
>
>
> Database operations error:
>
> ODBC driver does not support the requested properties.
>
> SELECT * FROM Products WHERE idProduct = test
>
> ADODB.Recordset error '800a0e78'
>
> Operation is not allowed when the object is closed.
>
> /test.asp, line 135
>
> Thanks
>
> John Cobb
> www.nobytes.com



______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with it (herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this message by any other person is not 
permitted.
If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized 
disclosure,
publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is 
strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this
message if modified or falsified.