[Kevin Spett]
| I would like to know if there are other ways of doing this.
You could look for a place where your input is stored in a databse
without validation, and insert a sub-select that picks up the
information you want.
Example: I was working my way through a system yesterday. In this
system I could register new users. On the user preferences page, I
could change my E-mail address. Fortunately, the programmers had
forgotten to "wash" the input, so I was able to enter the following as
my E-mail address:
' + (SELECT password FROM users WHERE username='foobar') + '
The + signs are used for string concatenation in MS SQL Server. After
entering this text, my E-mail field was updated to contain the
password of the user foobar. (Long live clear text passwords! :) )
My input probably resultet in an SQL query that looks like this:
UPDATE users
SET email='' + (SELECT password FROM users WHERE username='foobar') + ''
------------------------------------------------------------
WHERE username='sverre'
The underlined text is the "E-mail address" provided by me.
Hope this helps a litte bit.
Sverre.
--
shhat_private Try my Nerd Quiz at
http://shh.thathost.com/ http://nerdquiz.thathost.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 08:06:00 PDT