WebApp Sec mailing list archives

Re: SQL Injection Basics

From: Loki <loki () fatelabs com>
Date: 09 Feb 2003 00:16:01 -0500

Raul:

SQL injection is not replacing the userid field in the url with "sdfsd",
its escaping an SQL query with a single tick (') that the developer
doesn't escape (or in the case of PHP, GLOBALS is turned on in the
php.ini). 

SQL injection is simply altering the SQL query sent to the SQL server
and executing an a malicious query instead of what was expected by the
developer. Depending on the remote server (Oracle, Microsoft SQL, MySQL,
PostgreSQL), these statements will only differ based on their stored
procedures. Microsoft SQL containing the more fun procedure of
(xp_cmdshell) :)

e.g.

'SELECT * FROM USERS
Username: ' or 1=1--


There are several papers available on SQL injection attacks, one in
particular written by Chris Anley at
http://www.nextgenss.com/research/papers.html

Typically, you can quickly check web apps for vulnerability to injection
by just entering a single tick (') in the form submission field, hitting
submit, and looking for any errors such as ODBC, etc.



Loki
Fate Research Labs
www.fatelabs.com



On Sat, 2003-02-08 at 20:21, raul.johhut () hushmail com wrote:

I am pen testing a webapp and am having some problems with SQL injection. 

The app creates an ODBC error. Is this a garuntee of SQL Injection ?

If I use www.victim/test.asp?userid=sfdsd

the error is "inncorrect syntax near line 28 of test.asp" (or thats the English translation equiv in my case).

I know the database is called master, and has a table test. What is the syntax I should use ?

What are the best freeware and open source tools for testing SQL injection ? I tried WPosion which was OK.

I also tried WebSleuth (which seems to have gone from GPL to closed source commercial btw). Am I right is saying that 
the SQL plugin has to connect directly to the database to work ? I can only see port 80 so don't think this will work 
?

Thanks, Raul.



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

-- 
Loki <loki () fatelabs com>

Current thread:

SQL Injection Basics raul . johhut (Feb 08)
- Re: SQL Injection Basics Loki (Feb 09)
  - Re: SQL Injection Basics Nick Jacobsen (Feb 10)
    - RE: SQL Injection Basics Forrest Lee Andrews (Feb 10)
    - RE: SQL Injection Basics Dennis Hurst (Feb 10)
    - Re: SQL Injection Basics Nick Jacobsen (Feb 10)
    - Re: SQL Injection Basics Dave Aitel (Feb 10)
    - RE: SQL Injection Basics Dennis Hurst (Feb 10)
    - Re: SQL Injection Basics Taco Fleur (Feb 10)
    - RE: SQL Injection Basics Robert Nilsen (Feb 10)
    - Re: SQL Injection Basics Dirk Gomez (Feb 10)
    - RE: SQL Injection Basics Keith Smith (Feb 10)

(Thread continues...)