Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: SQL Injection question
From: "Adam Tuliper" <amt () gecko-software com>
Date: Mon, 05 Jan 2004 17:10:25 -0500

Hi Sasa,
You mentioned it gave you a:
"500 Internal Server Error" without any useful information
about the error reason or underlying database structure."

Do you by any chance have "show friendly http error
messages" checked on in the IE settings?


Adam Tuliper
Gecko Software LLC.


----- Original Message -----
From: Sasa Jusic
To: 'pen-test () securityfocus com'
Sent: Monday, January 05, 2004 7:53 AM
Subject: SQL Injection question


Hi group,

I am conducting a Pen test for a customer, and last few
days I have been
struggling with their Web application running on
Apache/mod_ssl Web Server
using CGI interface. During the initial assessment I
found several Web forms
using POST method, so I began searching for SQL Injection
Vulnerabilities.

The problem is that forms are well protected, and they
are only accepting
numeric values, so I can't insert any malicious
characters to test for SQL
vulnerabilities. Then I discovered that the form input
validation is done
with JavaScript code on the client side, so I used the
Paros proxy tool for
intercepting and modification of submitted form values.
In this way I
managed to submit the arbitrary data to the server, and
the server response
was "500 Internal Server Error" without any useful
information about the
error reason or underlying database structure. I tried
various combinations
typical for SQL Injection assessment, but the response
was always the same.

On several places I have red that this type of error is
one of the possible
indicators of SQL Injection problems, so I would like to
examine this
problem more carefully.

How can I know if this is really a SQL Injection problem
or some other
error? Is there any way I can elicit some more
information about the
structure of the database or any other useful information
I can use for
further testing?

I don't have much practical experience with SQL Injection
so I would really
appreciate any help.

Best regards,

Sasa.


---------------------------------------------------------------------------

----------------------------------------------------------------------------



---------------------------------------------------------------------------

----------------------------------------------------------------------------






---------------------------------------------------------------------------

----------------------------------------------------------------------------


---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault