All, I missed the SQL injection talks at bh/defcon - must have been my fault - I was told that they were good presentations. However I did see in the CD a glimpse of some injection techniques that I tried to follow as below. I have a internal WEB app that has the following characteristics: iis 4.0 (with all patches) - I even tried the old %2e asp display the source code and and all variants of the showcode.asp ! darn those security conscious admins ! input screen is javascript with a form - I can view the input page to see the script ! form requires 2 inputs login & password placing a ' in the login box produces the following messages Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quote before the character string '''. /Login.asp, line 73 They must not be screening out the ' and thanks to the error messages I know that the result is going to be passed to an SQl server. What next ?? I tried '-- in the login box and & got a message saying that the login name was not found I tried login name = valid name with a password of ‘ union select * from users where admin=1— and the message sez the password is wrong for the login. I also tried ‘ union select * from users where admin=1— in the login field and received a message saying that the login was longer than 7 characters Perhaps I am missing some intermediate step(s) ?? Any suggestions ?? __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:18:55 PDT