Penetration Testing mailing list archives
Re: sql injection: url or form based?
From: AdamT <adwulf () gmail com>
Date: Fri, 10 Feb 2006 16:39:31 +0000
On 2/10/06, johnny Mnemonic <security4thefainthearted () hotmail com> wrote:
I see many references to manipulation of SQL backend databases through both URL based and Forms based SQL injection but I'm wondering what are the essentials differences between both methods and when to use one over the other. Thanks.
If I understand what you're asking correctly - then the difference is based on what the web page is expecting the data to be. If your ASP/PHP/ColdFusion/whatever script is expecting data to arrive as part of a HTTP GET request, then you'd use a URL-based attack, as your browser would essentially be requesting a web page with something like this: GET /scripts/insecure.php?variable=some_invalid_data /HTTP/1.0 and if the script is expecting something sent as a POST request, then you'd want a 'form' based attack. This is a bit misleading, calling it a form-based attack, as HTML forms can use both GET and POST methods. Have a look in the HTML source of one of the forms, and you should see something like: action="insecure.php" method=POST One thing you can try for POST data is to take a copy of the form, save it locally and add a BASE HREF="http://path/to/original/file"; in the HTML. Doing the BASE HREF trick also allows you to remove any kind of clientside bounds checking put in with javascript or HTML. You might have to spoof the referer header for some sites when you do this, or at the very least, remove that header. If you're going to be doing lots of SQL injection attacks via web pages, you might like to take a look at Fiddler - http://www.fiddlertool.com/fiddler/ - which I find is quite useful. -- AdamT 'Thank-you for not requesting read receipts' ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- sql injection: url or form based? johnny Mnemonic (Feb 10)
- Re: sql injection: url or form based? FocusHacks (Feb 10)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? Brian Rectanus (Feb 11)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? dork (Feb 10)
- Re: sql injection: url or form based? AdamT (Feb 10)
- <Possible follow-ups>
- RE: sql injection: url or form based? Evans, Arian (Feb 10)
- RE: sql injection: url or form based? Kyle Quest (Feb 10)
- RE: sql injection: url or form based? LAROUCHE Francois (Feb 13)
- Re: sql injection: url or form based? FocusHacks (Feb 10)