Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: SQL Injection question
From: "Tibor Biro" <tiborbiro () rogers com>
Date: Mon, 5 Jan 2004 15:54:26 -0500

Hi Sasa,

What you have is probably a blind SQL injection vulnerability. There are
several good documents out there that can help you with clues and SQL
constructs that give you some information. 

I found this document good for my purposes:
http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf

You can get anything without actually seeing the results, just follow
the white rabbit. It will help if you script the requests as you will
need a huge amount of requests to extract actual data.

Google can also help you:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=blind+SQL+injecti
on&meta=

Regards,
Tibor

-----Original Message-----
From: Sasa Jusic [mailto:sjusic () pamela zesoi fer hr]
Sent: January 5, 2004 7:54 AM
To: 'pen-test () securityfocus com'
Subject: SQL Injection question

Hi group,

I am conducting a Pen test for a customer, and last few days I have
been
struggling with their Web application running on Apache/mod_ssl Web
Server
using CGI interface. During the initial assessment I found several Web
forms
using POST method, so I began searching for SQL Injection
Vulnerabilities.

The problem is that forms are well protected, and they are only
accepting
numeric values, so I can't insert any malicious characters to test for
SQL
vulnerabilities. Then I discovered that the form input validation is
done
with JavaScript code on the client side, so I used the Paros proxy
tool
for
intercepting and modification of submitted form values. In this way I
managed to submit the arbitrary data to the server, and the server
response
was "500 Internal Server Error" without any useful information about
the
error reason or underlying database structure. I tried various
combinations
typical for SQL Injection assessment, but the response was always the
same.

On several places I have red that this type of error is one of the
possible
indicators of SQL Injection problems, so I would like to examine this
problem more carefully.

How can I know if this is really a SQL Injection problem or some other
error? Is there any way I can elicit some more information about the
structure of the database or any other useful information I can use
for
further testing?

I don't have much practical experience with SQL Injection so I would
really
appreciate any help.

Best regards,

Sasa.


------------------------------------------------------------------------
--
-

------------------------------------------------------------------------
--
--


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault