All,
I missed the SQL injection talks at bh/defcon - must
have been my fault - I was told that they were good
presentations. However I did see in the CD a glimpse
of some injection techniques that I tried to follow as
below.
I have a internal WEB app that has the following
characteristics:
iis 4.0 (with all patches) - I even tried the old %2e
asp display the source code and and all variants of
the showcode.asp ! darn those security conscious
admins !
input screen is javascript with a form - I can view
the input page to see the script !
form requires 2 inputs
login & password
placing a ' in the login box produces the following
messages
Microsoft OLE DB Provider for ODBC Drivers error
'80040e14'
[Microsoft][ODBC SQL Server Driver][SQL
Server]Unclosed quote before the character string '''.
/Login.asp, line 73
They must not be screening out the ' and thanks to
the error messages I know that the result is going to
be passed to an SQl server. What next ??
I tried
'--
in the login box and & got a message saying that the
login name was not found
I tried
login name = valid name
with a password of
‘ union select * from users where admin=1—
and the message sez the password is wrong for the
login.
I also tried
‘ union select * from users where admin=1—
in the login field and received a message saying that
the login was longer than 7 characters
Perhaps I am missing some intermediate step(s) ??
Any suggestions ??
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Aug 07 2001
Intro
