sql injection - missed it at bh/defcon

From: nemo latin (nemo_oldat_private)
Date: Tue Aug 07 2001 - 12:04:10 PDT

  • Next message: Gary O'leary-Steele: "buffer overflows"

    All,
    
    I missed the SQL injection talks at bh/defcon - must
    have been my fault - I was told that they were good
    presentations.  However I did see in the CD a glimpse
    of some injection techniques that I tried to follow as
    below.
    
    I have a internal WEB app that has the following
    characteristics:
    
    iis 4.0 (with all patches) - I even tried the old %2e
    asp display the source code and and all variants of
    the showcode.asp !  darn those security conscious
    admins !
    
    input screen is javascript with a form - I can view
    the input page to see the script !
    
    form requires 2 inputs
    login & password
    
    placing a  '  in the login box produces the following
    messages
    
    Microsoft OLE DB Provider for ODBC Drivers error
    '80040e14' 
    
    [Microsoft][ODBC SQL Server Driver][SQL
    Server]Unclosed quote before the character string '''.
    
    
    /Login.asp, line 73 
    
    They must not be screening out the  '  and thanks to
    the error messages I know that the result is going to
    be passed to an SQl server.  What next ??
    
    I tried
    
    '--  
    
    in the login box and  & got a message saying that the
    login name was not found
    
    I tried
    
    login name =   valid name
    with a password of
    
    ‘ union select * from users where admin=1—
    
    and the message sez the password is wrong for the
    login.
    
    I also tried
    
    ‘ union select * from users where admin=1—
    
    in the login field and received a message saying that
    the login was longer than 7 characters
    
    Perhaps I am missing some intermediate step(s) ??
    
    Any suggestions ??
    
    
    
    
    
    
    __________________________________________________
    Do You Yahoo!?
    Make international calls for as low as $.04/minute with Yahoo! Messenger
    http://phonecard.yahoo.com/
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/
    



    This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:18:55 PDT