Hi,
I know I posted this b4, but I've had a lot of fun with it this year(!)...
You may be looking at a bit of code that says something like:
...
strSQL = ("select <stuff> from <sometable> where username = '" &
<what_you_entered> & "' and password = '" & <what_you_entered> & "'")
Set oRS = oConn.Execute(strSQL)
If oRS.EOF Then
<logon failed>
Else
<logon succeeded>
...
If they have done the usual (dumb) authentication (see above) then you may
be able to break throught the login by forcing both the username= and
password= clauses to true...
try entering:
p' OR 'p' = 'p
or something else that would have the same effect...
The common error here is to assume that as long as the recordset returned
from the db is non-null then the user must have entered the correct username
and p/w. By forcing both clauses to true, the recordset returned contains
fields from all rows and is therefore non null. I think this is actually an
example in the w2k resource kit...but (in Microsofts defence) it is not
presented as an example of website logon, but an example about recordsets
and the like. I guess people have misused it.
Anyway, you may get some joy.
P
-----Original Message-----
From: Gary O'leary-Steele [mailto:GaryO@sec-1.com]
Sent: 19 November 2001 16:24
To: PEN-TESTat_private
Subject: SQL
Hello all,
I am doing a pen test against a IIS 5 web server. The web server requires a
user name and password via a logon form. if a single quote character is
entered (username)the following error is produced
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''.
I remember reading somewhere that this can be used to gain further access?
but i cant find the info.
Can any one help?
Thanks in advance.
Gary
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
_____________________________________________________________________
This message has been checked for all known viruses by bluesource. For
further information visit www.blue-source.com
powered by Messagelabs
------------Insight Consulting Limited--------------------------------
Insight Consulting Limited is a leading specialist provider of independent services in all aspects of information and communications security, business continuity and risk management from consultancy, implementation, testing and training to recruitment, research and outsourcing.
---------------------Disclaimer----------------------------------------
Internet communications are not secure and therefore Insight Consulting Limited does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Insight Consulting Limited unless otherwise specifically stated. If this message is received by anyone other than the addressee, please notify the sender and then delete the message and any attachments from your computer.
-----------------------------------------------------------------------
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 09:30:32 PST