Gary, I don't know about that granting complete access, but what it does mean is that you have free reign to execute SQL commands directly to the server. The most likely scenario is that to login a query like: SELECT * FROM tblUsers WHERE Username='user' AND Password = 'pass' The HTML form is filling in the 'user' and 'pass' with the data from the form. When you add a ' it escapes out of the variable (think strings in programming) and moves on the rest of the SQL statement. Anything you add after the ' will be interpreted as more SQL to execute. Since you most likely can change both the user and password fields you can change the SQL to pretty much anything. Assuming the web page is looking for the ID of the user, you could mimic any user by doing a SELECT * FROM tblUsers WHERE Username='admin'; HTML Form Values To Impersonate "admin": User: admin';SELECT * FROM tblUsers WHERE 1='1 Password: blah SQL String Generated: SELECT * FROM tblUsers WHERE Username='admin';SELECT * FROM tblUsers WHERE 1='1' AND Password='blah' Now, I realize I'm making quite a few assumptions, but with direct SQL access to the DB you could at the very least brute force a table listing. Depending on the level of access given to the user, you might even be able to CREATE or DROP tables. I've found that the most secure way to do ASP/SQL is using Stored Procs and Views for everything without any direct table access. Cheers, Neil On 11-19 (16:24), Gary O'leary-Steele wrote: > Hello all, > > > I am doing a pen test against a IIS 5 web server. The web server requires a > user name and password via a logon form. if a single quote character is > entered (username)the following error is produced > > [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark > before the character string '' and password=''. > > I remember reading somewhere that this can be used to gain further access? > but i cant find the info. > > Can any one help? > > Thanks in advance. > > Gary > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 09:53:53 PST