I got thro' a login by putting
s') OR ('s' = 's
as both username and password. can't remember exactly but they were doing a
select from table where username=<input> and password=<input>. Worked for
me!
As a follow on - I'm doing another job and am having difficulty injecting
sql - I keep getting errors like 'SQL command not properly ended' or
'unterminated string' and stuff. Anyone got any ideas? It's Oracle on the
backend from IIS BTW. I've tried various combo's of quotes, strings,
cr/lf's etc but there nothing going on.
Thanks,
Paul
-----Original Message-----
From: nemo latin [mailto:nemo_oldat_private]
Sent: 07 August 2001 20:04
To: pen-testat_private
Subject: sql injection - missed it at bh/defcon
All,
I missed the SQL injection talks at bh/defcon - must
have been my fault - I was told that they were good
presentations. However I did see in the CD a glimpse
of some injection techniques that I tried to follow as
below.
I have a internal WEB app that has the following
characteristics:
iis 4.0 (with all patches) - I even tried the old %2e
asp display the source code and and all variants of
the showcode.asp ! darn those security conscious
admins !
input screen is javascript with a form - I can view
the input page to see the script !
form requires 2 inputs
login & password
placing a ' in the login box produces the following
messages
Microsoft OLE DB Provider for ODBC Drivers error
'80040e14'
[Microsoft][ODBC SQL Server Driver][SQL
Server]Unclosed quote before the character string '''.
/Login.asp, line 73
They must not be screening out the ' and thanks to
the error messages I know that the result is going to
be passed to an SQl server. What next ??
I tried
'--
in the login box and & got a message saying that the
login name was not found
I tried
login name = valid name
with a password of
' union select * from users where admin=1-
and the message sez the password is wrong for the
login.
I also tried
' union select * from users where admin=1-
in the login field and received a message saying that
the login was longer than 7 characters
Perhaps I am missing some intermediate step(s) ??
Any suggestions ??
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
------------Insight Consulting Limited--------------------------------
Insight Consulting Limited is a leading specialist provider of independent services in all aspects of information and communications security, business continuity and risk management from consultancy, implementation, testing and training to recruitment, research and outsourcing.
---------------------Disclaimer----------------------------------------
Internet communications are not secure and therefore Insight Consulting Limited does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Insight Consulting Limited unless otherwise specifically stated. If this message is received by anyone other than the addressee, please notify the sender and then delete the message and any attachments from your computer.
-----------------------------------------------------------------------
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 16:03:24 PDT