-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not all that knowledgeable about SQL testing.. I usually get help from people who know a lot about SQL to help with the actual code syntax, but, here is a thing about the parsing of unquoted code to an SQL server (and that is what it sounds like you have). I am flying on my own here... You may have a hole there. Try (as a username): aa'; CREATE USER hack WITH SYSID 0 PASSWORD 'hacked' \* The "\*" is the "Quote start" character in SQL and will quote the rest of the command out. You may have to make the password something like: *\; SET foo TO 'bar Or something to that effect. This should pass the command like this to the SQL server: <stuff the programmer thought would go there> USER to 'aa'; CREATE USER hack WITH SYSID 0 PASSWORD 'hacked' \*<more stuff that is now commented out>*\; SET foo TO 'bar' The extra quote on the end is the one that has caused you grief. Just a thought. It certainly warrants trying some SQL commands. Here are some references to look at: List of SQL commands: http://www.postgresql.org/idocs/index.php?sql-commands.html A quick search brings up a good article about hacking SQL through bad perl at: http://www.attrition.org/security/advisory/rfp/rfp2k01 You may be able to find even more stuff at "http://www.wiretrip.net/rfp" - -- Benjamin Holmes Getronics, Brisbane, Queensland, AUSTRALIA > -----Original Message----- > From: Gary O'leary-Steele [mailto:GaryO@sec-1.com] > Sent: Tuesday, 20 November 2001 2:24 AM > To: PEN-TESTat_private > Subject: SQL > > > Hello all, > > > I am doing a pen test against a IIS 5 web server. The web > server requires a > user name and password via a logon form. if a single quote > character is > entered (username)the following error is produced > > [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark > before the character string '' and password=''. > > I remember reading somewhere that this can be used to gain > further access? > but i cant find the info. > > Can any one help? > > Thanks in advance. > > Gary > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security > vulnerabilities please see: > https://alerts.securityfocus.com/ > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> Comment: Pee Gee Peeeeee! iQA/AwUBO/oamHLvuelW5gClEQJyfACfaYYUwKXZyBgYToNYJMxmDZIuqZgAoM7G ReMm/fhHDz1AHrbxpWKu/OB6 =0sjP -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 09:03:15 PST