Penetration Testing mailing list archives
Re: SQL Injection question
From: "Adam Tuliper" <amt () gecko-software com>
Date: Mon, 05 Jan 2004 17:10:25 -0500
Hi Sasa, You mentioned it gave you a: "500 Internal Server Error" without any useful information about the error reason or underlying database structure." Do you by any chance have "show friendly http error messages" checked on in the IE settings? Adam Tuliper Gecko Software LLC.
----- Original Message ----- From: Sasa Jusic To: 'pen-test () securityfocus com' Sent: Monday, January 05, 2004 7:53 AM Subject: SQL Injection question Hi group, I am conducting a Pen test for a customer, and last few days I have been struggling with their Web application running on Apache/mod_ssl Web Server using CGI interface. During the initial assessment I found several Web forms using POST method, so I began searching for SQL Injection Vulnerabilities. The problem is that forms are well protected, and they are only accepting numeric values, so I can't insert any malicious characters to test for SQL vulnerabilities. Then I discovered that the form input validation is done with JavaScript code on the client side, so I used the Paros proxy tool for intercepting and modification of submitted form values. In this way I managed to submit the arbitrary data to the server, and the server response was "500 Internal Server Error" without any useful information about the error reason or underlying database structure. I tried various combinations typical for SQL Injection assessment, but the response was always the same. On several places I have red that this type of error is one of the possible indicators of SQL Injection problems, so I would like to examine this problem more carefully. How can I know if this is really a SQL Injection problem or some other error? Is there any way I can elicit some more information about the structure of the database or any other useful information I can use for further testing? I don't have much practical experience with SQL Injection so I would really appreciate any help. Best regards, Sasa.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
--------------------------------------------------------------------- Web mail provided by NuNet, Inc. The Premier National provider. http://www.nni.com/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- SQL Injection question Sasa Jusic (Jan 05)
- Re: SQL Injection question Jeff Williams @ Aspect (Jan 05)
- RE: SQL Injection question Yvan Boily (Jan 05)
- Re: SQL Injection question Adam Tuliper (Jan 05)
- Reverse Engineering thoughts n30 (Jan 07)
- Re: Reverse Engineering thoughts Riad S. Wahby (Jan 07)
- Re: Reverse Engineering thoughts johnny cyberpunk (Jan 07)
- RE: Reverse Engineering thoughts Brett Moore (Jan 07)
- Re: Reverse Engineering thoughts Adam Tuliper (Jan 07)
- RE: SQL Injection question Yvan Boily (Jan 05)
- Re: SQL Injection question Jeff Williams @ Aspect (Jan 05)
- RE: SQL Injection question Tibor Biro (Jan 05)
- <Possible follow-ups>
- RE: SQL Injection question Lachniet, Mark (Jan 05)
- RE: SQL Injection question Scovetta, Michael V (Jan 05)
- SQL injection question John (Jan 21)
- Re: SQL injection question .Saphyr (Jan 22)