Home page logo

pen-test logo Penetration Testing mailing list archives

Re: SQL Injection question
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Mon, 5 Jan 2004 13:56:14 -0500


The only way you're ever going to know is if you review the code. The 500
may be the result of a validation mechanism that detects malformed input and
generates the error.  Or it may be the result of a database call that is
failing and throwing an exception that is handled by a generic error

You can waste a lot of time trying various injections and combinations to
get a more detailed error message, but you'll never know for sure unless you
check the code. For SQL injection in particular, it's far more efficient to
check to make sure that all SQL query parameters are validated or sanitized
properly in the code.


Jeff Williams
Aspect Security

----- Original Message ----- 
From: Sasa Jusic
To: 'pen-test () securityfocus com'
Sent: Monday, January 05, 2004 7:53 AM
Subject: SQL Injection question

Hi group,

I am conducting a Pen test for a customer, and last few days I have been
struggling with their Web application running on Apache/mod_ssl Web Server
using CGI interface. During the initial assessment I found several Web forms
using POST method, so I began searching for SQL Injection Vulnerabilities.

The problem is that forms are well protected, and they are only accepting
numeric values, so I can't insert any malicious characters to test for SQL
vulnerabilities. Then I discovered that the form input validation is done
with JavaScript code on the client side, so I used the Paros proxy tool for
intercepting and modification of submitted form values. In this way I
managed to submit the arbitrary data to the server, and the server response
was "500 Internal Server Error" without any useful information about the
error reason or underlying database structure. I tried various combinations
typical for SQL Injection assessment, but the response was always the same.

On several places I have red that this type of error is one of the possible
indicators of SQL Injection problems, so I would like to examine this
problem more carefully.

How can I know if this is really a SQL Injection problem or some other
error? Is there any way I can elicit some more information about the
structure of the database or any other useful information I can use for
further testing?

I don't have much practical experience with SQL Injection so I would really
appreciate any help.

Best regards,




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]