Thanks Jacob.
However, It seems that I didn’t explained myself correctly. Thousand
apologies.
The request that creates the user has a 'FOO' field already, and I made
sure that this field will have an explicit value.
This was done using the credentials of an existing an privileged user
(the account was accessed with good old injection techniques).
Thanks again for the help and the quick response.
Ronen.
-----Original Message-----
From: Jacob Hurley [mailto:jacobh_at_aos5.com]
Sent: Tuesday, April 15, 2003 5:02 PM
To: ronen; web-app-sec list
Subject: RE: yet another injection question
the problem is with your sql query to insert into the database, it's
telling you that FOO can't be NULL.. so append to you INSERT / VALUE
statement a value for FOO
looks like the hard part is over, if it was hard :p
Jacob Hurley
-----Original Message-----
From: ronen [mailto:ronen_at_avnet.co.il]
Sent: Tuesday, April 15, 2003 2:49 AM
To: web-app-sec list
Subject: yet another injection question
Hello all,
While pen testing a web application, and bypassing the authentication
using a basic injection, I've tried to add a user to the database
through a built-in form.
However, when sending the URL, I received the follows:
[Microsoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value
NULL into column 'FOO', table 'BAR'; column does not allow nulls. INSERT
fails.
The request URL has a field named 'FOO', and I explicitly inserted a
value to that field.
I was logged in with a privileged user (seems to have the highest
privileges available ).
Any idea what's the reason for the mentioned ODBC error.
BTW, the system is a 'Microsoft SQL Server 7.00 - 7.00.1063' running on
Windows NT 5.0 (Build 2195: Service Pack 3).
Thanking you all in advance.
Ronen
Received on Apr 15 2003
Intro
