WebApp Sec mailing list archives
RE: ODBC Injection
From: "LAROUCHE Francois" <Francois.Larouche () accorservices com>
Date: Thu, 1 Dec 2005 10:17:30 +0100
http://test.com/test.asp?sIdProduct=1%0AINSERT INTO products ('odbc >>injected product');
If Maxime's suggestion with the LF or CR hexa characters could be a good trick, I don't think it's good to give an example with INSERT INTO to people here. Or even DELETE, we don't know if people use those tests in a prod environment, and we most definitely don't know what will happen if the insertion succeed on the table, besides leaving tracks or junk in the database behind you. No harm done Maxime, but just thought it was important to mention. I would range with Brett Moore's analysis with the fact that you get no result and you try to display it right away, classical mistake. But most definitely there is something odd in the SQL statement... Since it seems it only expects numerical data, try to inject this first: http://test.com/test.asp?sIdProduct=1 Look at the product displayed, then try: http://test.com/test.asp?sIdProduct=2 Look now at the product, finally try: http://test.com/test.asp?sIdProduct=1%2b1 If you get back the product number 2 it means you can inject SQL. And like I mentioned the last time I wrote here, if you don't find anything there try somewhere else where it expects a string data. It seems this app has been coded weirdly so you have fair chance to find something else... Good luck François Larouche -----Original Message----- From: Maxime Ducharme [mailto:mducharme () cybergeneration com] Sent: Wednesday, November 30, 2005 8:38 PM To: John Cobb; webappsec () securityfocus com Subject: Re: ODBC Injection Hello John Try the new line trick (%0A), i remember this helped me for a coldfusion + access pen testing, dunno if it'll be good for you : http://test.com/test.asp?sIdProduct=1%0AINSERT INTO products ('odbc injected product'); you may also try CR trick (%0D), results depends on the OS HTH Maxime Ducharme Programmeur / Spécialiste en sécurité réseau ----- Original Message ----- From: "John Cobb" <johnc () nobytes com> To: <webappsec () securityfocus com> Sent: Wednesday, November 30, 2005 6:38 AM Subject: ODBC Injection
Hello All, I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have found some injection: http://test.com/test.asp?sIdProduct=1 I get the following error when I insert alpha characters rather than numbers. I cannot manipulate this much, does anybody have any suggestions? Eg: http://test.com/test.asp?sIdProduct=test Database operations error: ODBC driver does not support the requested properties. SELECT * FROM Products WHERE idProduct = test ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /test.asp, line 135 Thanks John Cobb www.nobytes.com
______________________________________________________________________________________________________________________________ This email, the information contained within and any files transmitted with it (herein after referred as "the message") are confidential. It is intended solely for the addressees and access to this message by any other person is not permitted. If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized disclosure, publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is strictly prohibited. Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this message if modified or falsified.
Current thread:
- ODBC Injection John Cobb (Nov 30)
- Re: ODBC Injection John Bond (Nov 30)
- RE: ODBC Injection DAN MORRILL (Nov 30)
- RE: ODBC Injection Brett Moore (Nov 30)
- Re: ODBC Injection Maxime Ducharme (Nov 30)
- <Possible follow-ups>
- RE: ODBC Injection Lepore, Brian (Nov 30)
- RE: ODBC Injection LAROUCHE Francois (Dec 01)
- RE: ODBC Injection Auri Rahimzadeh (Dec 01)