WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SQL injection (no single quotes used)

From: "Brett Moore" <brett.moore () security-assessment com>
Date: Thu, 16 Dec 2004 12:12:14 +1300
Thanks and sorry for sending a not so tested POC to
all of you.


Don't be... I often use the CR/LF pairs to bypass filters
in SQL (against MS SQL). %0a%0d can sometimes work, but it
is better to send the 'raw' bytes as a post. Using a
textarea field works great for this.

The GO statement, (from memory and what ppl are saying)
will not work. But this method can be used to bypass
filters that remove spaces.

select
something
from
somewhere

is a valid statement.

Also to bypass filters that look explicitly for strings,
which is always a bad idea.
For example if a filter looked for
"select ","update " or any term with a space after it.
Things like "exec master" etc, can also be bypassed.

Brett Moore
Network Intrusion Specialist, CTO
Security-Assessment.com

-----Original Message-----
From: Juan Carlos [mailto:johnccr () yahoo com]
Sent: Thursday, 16 December 2004 5:50 a.m.
To: Olivier G. Gaumond
Cc: webappsec () securityfocus com
Subject: Re: SQL injection (no single quotes used)


on my!

you are right, this won't work with ADO for example,
my bad :(

Thanks and sorry for sending a not so tested POC to
all of you.

-JC

 --- "Olivier G. Gaumond" <olig () monimap com> escribió:


Juan Carlos Calderon wrote:

Here the MS Documentation for GO Keyword:
<snip>
SQL Server utilities interpret GO as a signal that
they should send the current batch of Transact-SQL
statements to SQL Server. The current batch of
statements is composed of all statements entered

since

the last GO, or since the start of the ad hoc

session

or script if this is the first GO
</snip>


This may work in SQL Server utilities such as Query
Analyzer, but the GO
keyword is not part of the T-SQL language, so this
would not work in a
query sent by ADO.  At least it doesn't work with
the ADO.NET SqlClient
provider.

Olivier




ATTACHMENT part 2 application/x-pkcs7-signature

name=smime.p7s


_________________________________________________________
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com


######################################################################
CONFIDENTIALITY NOTICE: 

This message and any attachment(s) are confidential and proprietary. 
They may also be privileged or otherwise protected from disclosure. If 
you are not the intended recipient, advise the sender and delete this 
message and any attachment from your system. If you are not the 
intended recipient, you are not authorised to use or copy this message 
or attachment or disclose the contents to any other person. Views 
expressed are not necessarily endorsed by Security-Assessment.com 
Limited. Please note that this communication does not designate an 
information system for the purposes of the New Zealand Electronic 
Transactions Act 2003.
######################################################################
Previous By Date Next
Previous By Thread Next

Current thread: