There IS actually an input filter on %input%. That is why the input
'test
becomes the output
''test
in the SQL query. Doubling the quotes causes just about any database engine
to view the quote as part of the parameter rather than as the end of the
parameter. So exploiting the issue brought up by rfp is a bit more
difficult.
In this case you need a way to outsmart the input filter and insert a single
quote without it being doubled. How exactly to escape out the second quote
added by the input filter is dependent on what system, database, network
software being used.
> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST_at_SECURITYFOCUS.COM]On Behalf
> Of Philip Wagenaar
> Sent: Wednesday, February 07, 2001 7:34 PM
> To: PEN-TEST_at_SECURITYFOCUS.COM
> Subject: Re: [PEN-TEST] Hacking SQL queries ...
>
>
> Be sure to put an input filter on %input%. If somebody enters a string
> containing ' it will crash the query.
>
> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST_at_SECURITYFOCUS.COM]On Behalf
> Of Aurobindo Sundaram (+1 512 918 1390)
> Sent: woensdag 7 februari 2001 21:08
> To: PEN-TEST_at_SECURITYFOCUS.COM
> Subject: [PEN-TEST] Hacking SQL queries ...
>
>
> I have to audit a bit of code that does the following
>
> SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name
>
> where input is the user-input. When I try the input 'test, the code
> generated is
>
> SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name
>
> Since I'm an SQL newbie, I'd be curious to know how someone could supply
> the appropriate input to do bad things on the SQL server - either
> in R/O or
> R/W mode
>
> If there are SQL hacking pages someplace, a link would be appreciated
>
> Thanks,
> Robin
>
Received on Feb 10 2001
Intro
