Re: SQL Injection Basics

[Dave Aitel <dave () immunitysec com>]

That is something covered in Chris Anley's paper. 

-dave


On Mon, 10 Feb 2003 13:37:35 -0800
"Nick Jacobsen" <nick () ethicsdesign com> wrote:

> Right, I wasn't thinking too well...  makes sense.  Though, according
> to quite a few SQL injection faqs I have read, it said that you could
> only inject code if the developer used tick marks.  However, I just
> recently used SQL injection on some code where the developer used NO
> tick marks, but injection still worked if the injection string
> contained TWO tick marks. Was this just a fluke, or is it something
> that the faqs had wrong?
>
> Nick J.
> nick () ethicsdesign com
>
> ----- Original Message -----
> From: "Dennis Hurst" <dhurst () spidynamics com>
> To: "'Nick Jacobsen'" <nick () ethicsdesign com>
> Cc: <webappsec () securityfocus com>
> Sent: Monday, February 10, 2003 8:59 AM
> Subject: RE: SQL Injection Basics
>
>
> > Nick,
> >
> > Good question, but SQL Injection is absolutely an issue in VBScript
> > (ASP pages).  Here's the deal, the ' only acts as a comment if it's
> > in the source code, not when it's in a variable. So...
> >
> >
> > If you have code that looks like this:
> >
> > Dim sSql, rs, oConnection
> >
> > '..... Setup the connection......
> >
> > sSql = "Select * from myCustomers where FirstName = '" &
> > Request("txtFirstName") & "'"
> >
> > Set rs = oConnection.Execute(sSql)
> >
> > '.....do something with the returned data.....
> >
> >
> > And a user puts a ' in the text box called txtFirstName you end up
> > with something that acts like this:
> >
> > Dim sSql, rs, oConnection
> >
> > '..... Setup the connection......
> >
> > sSql = "Select * from myCustomers where FirstName = '''"
> >
> > Set rs = oConnection.Execute(sSql)
> >
> > '.....do something with the returned data.....
> >
> >
> >
> >
> >
> > Have a great day,
> >
> > Dennis Hurst
> > dhurst () spidynamics com
> > SPI Labs
> >
> >
> >
> > -----Original Message-----
> > From: Nick Jacobsen [mailto:nick () ethicsdesign com]
> > Sent: Monday, February 10, 2003 6:07 AM
> > To: Loki; raul.johhut () hushmail com
> > Cc: webappsec () securityfocus com
> > Subject: Re: SQL Injection Basics
> >
> >
> > Hmm...  just a gues here, but if a developer is using VBScript as
> > the scripting language, would SQL injection be impossible, since in
> > VBScript the
> > " ' " mark is a comment mark, and therefore never used in SQL
> > statements?
> >
> > Nick J
> > nick () ethicsdesign com
> >
> > ----- Original Message -----
> > From: "Loki" <loki () fatelabs com>
> > To: <raul.johhut () hushmail com>
> > Cc: <webappsec () securityfocus com>
> > Sent: Saturday, February 08, 2003 9:16 PM
> > Subject: Re: SQL Injection Basics
> >
> >
> > > Raul:
> > >
> > > SQL injection is not replacing the userid field in the url with
> > "sdfsd",
> > > its escaping an SQL query with a single tick (') that the
> > > developer doesn't escape (or in the case of PHP, GLOBALS is turned
> > > on in the php.ini).
> > >
> > > SQL injection is simply altering the SQL query sent to the SQL
> > > server and executing an a malicious query instead of what was
> > > expected by the developer. Depending on the remote server (Oracle,
> > > Microsoft SQL,
> > MySQL,
> > > PostgreSQL), these statements will only differ based on their
> > > stored procedures. Microsoft SQL containing the more fun procedure
> > > of(xp_cmdshell) :)
> > >
> > > e.g.
> > >
> > > 'SELECT * FROM USERS
> > > Username: ' or 1=1--
> > >
> > >
> > > There are several papers available on SQL injection attacks, one
> > > in particular written by Chris Anley at
> > > http://www.nextgenss.com/research/papers.html
> > >
> > > Typically, you can quickly check web apps for vulnerability to
> > injection
> > > by just entering a single tick (') in the form submission field,
> > hitting
> > > submit, and looking for any errors such as ODBC, etc.
> > >
> > >
> > >
> > > Loki
> > > Fate Research Labs
> > > www.fatelabs.com
> > >
> > >
> > >
> > > On Sat, 2003-02-08 at 20:21, raul.johhut () hushmail com wrote:
> > > > I am pen testing a webapp and am having some problems with SQL
> > injection.
> > > > The app creates an ODBC error. Is this a garuntee of SQL
> > > > Injection ?
> > > >
> > > > If I use www.victim/test.asp?userid=sfdsd
> > > >
> > > > the error is "inncorrect syntax near line 28 of test.asp" (or
> > > > thats
> > the
> > English translation equiv in my case).
> > > > I know the database is called master, and has a table test. What
> > > > is
> > the
> > syntax I should use ?
> > > > What are the best freeware and open source tools for testing SQL
> > injection ? I tried WPosion which was OK.
> > > > I also tried WebSleuth (which seems to have gone from GPL to
> > > > closed
> > source commercial btw). Am I right is saying that the SQL plugin has
> > to connect directly to the database to work ? I can only see port 80
> > so don't
> > think this will work ?
> > > > Thanks, Raul.
> > > >
> > > >
> > > >
> > > > Concerned about your privacy? Follow this link to get
> > > > FREE encrypted email: https://www.hushmail.com/?l=2
> > > >
> > > > Big $$$ to be made with the HushMail Affiliate Program:
> > > > https://www.hushmail.com/about.php?subloc=affiliate&l=427
> > > --
> > > Loki <loki () fatelabs com>