WebApp Sec mailing list archives

RE: SQL injection

From: "John McGuire" <jmcguire81 () cox net>
Date: Wed, 19 Jan 2005 02:07:47 -0700

Quite a bit of damage could be done. If you have the patience, you can
map out every table/field in the database using a series of JOINS if I
remember correctly. You could then save a dump of all the data in that
database.  

John McGuire
BlackLight Systems


-----Original Message-----
I have just discovered that I can successfully inject the following SQL:

' OR 1=1; --

into the Username field of a logon form on a "secure" site in my
corporate network (Windows 2000, SQL 7.0).  When I do this, leaving the
password field blank, I am logged into the system as the first user in
the "Users" table in the DB which is being authenticated against.  LOL.

If I can get that far, can't I theoretically:

' OR 1=1; DELETE Users; --

or something similar?  Couldn't I EXEC some system sprocs this way too? 
How much damage/rooting can be done here?  I need to present a detailed
report to the admins.

Current thread:

SQL injection Francesco (Jan 19)
- Re: SQL injection James Riden (Jan 23)
- Re: SQL injection Josh Zlatin-Amishav (Jan 23)
- RE: SQL injection John McGuire (Jan 23)
- Re: SQL injection exon (Jan 23)
- Re: SQL injection Serg Belokamen (Jan 23)
- Re: SQL injection Cory Foy (Jan 23)
- Re: SQL injection nummish (Jan 23)