Can you post the SQL statement you're using, including whatever you need to
break out of the application's original SQL statement?
Kevin Spett
SPI Labs
http://www.spidynamics.com/
----- Original Message -----
From: "ronen" <ronen_at_avnet.co.il>
To: "web-app-sec list" <webappsec_at_securityfocus.com>
Sent: Tuesday, April 15, 2003 3:48 AM
Subject: yet another injection question
> Hello all,
>
>
>
> While pen testing a web application, and bypassing the authentication
using
> a basic injection, I've tried to add a user to the database through a
> built-in form.
>
>
>
> However, when sending the URL, I received the follows:
>
>
>
> [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value
NULL
> into column 'FOO', table 'BAR'; column does not allow nulls. INSERT fails.
>
>
>
>
>
> The request URL has a field named 'FOO', and I explicitly inserted a value
> to that field.
>
>
>
> I was logged in with a privileged user (seems to have the highest
privileges
> available ).
>
>
>
> Any idea what's the reason for the mentioned ODBC error.
>
>
>
> BTW, the system is a 'Microsoft SQL Server 7.00 - 7.00.1063' running on
> Windows NT 5.0 (Build 2195: Service Pack 3).
>
>
>
> Thanking you all in advance.
>
>
>
> Ronen
>
>
>
>
Received on Apr 15 2003
Intro
