WebApp Sec mailing list archives
RE: SQL Injection Basics
From: "Dennis Hurst" <dhurst () spidynamics com>
Date: Mon, 10 Feb 2003 17:05:36 -0500
Nick, It really doesn't matter if the developer used tick marks or not, just if you can inject something the developer didn't plan for into the SQL string. If an extra tick (and many other character combinations) gets injected anywhere in the string you will have SQL Injection issues. If the developer does not parse for unexpected strings there are probably issues, regardless of what the SQL statement looks like. Have a great day, Dennis Hurst dhurst () spidynamics com SPI Labs -----Original Message----- From: Nick Jacobsen [mailto:nick () ethicsdesign com] Sent: Monday, February 10, 2003 4:38 PM To: dhurst () spidynamics com; webappsec () securityfocus com Subject: Re: SQL Injection Basics Right, I wasn't thinking too well... makes sense. Though, according to quite a few SQL injection faqs I have read, it said that you could only inject code if the developer used tick marks. However, I just recently used SQL injection on some code where the developer used NO tick marks, but injection still worked if the injection string contained TWO tick marks. Was this just a fluke, or is it something that the faqs had wrong? Nick J. nick () ethicsdesign com ----- Original Message ----- From: "Dennis Hurst" <dhurst () spidynamics com> To: "'Nick Jacobsen'" <nick () ethicsdesign com> Cc: <webappsec () securityfocus com> Sent: Monday, February 10, 2003 8:59 AM Subject: RE: SQL Injection Basics
Nick, Good question, but SQL Injection is absolutely an issue in VBScript
(ASP
pages). Here's the deal, the ' only acts as a comment if it's in the source code, not when it's in a variable. So... If you have code that looks like this: Dim sSql, rs, oConnection '..... Setup the connection...... sSql = "Select * from myCustomers where FirstName = '" & Request("txtFirstName") & "'" Set rs = oConnection.Execute(sSql) '.....do something with the returned data..... And a user puts a ' in the text box called txtFirstName you end up
with
something that acts like this: Dim sSql, rs, oConnection '..... Setup the connection...... sSql = "Select * from myCustomers where FirstName = '''" Set rs = oConnection.Execute(sSql) '.....do something with the returned data..... Have a great day, Dennis Hurst dhurst () spidynamics com SPI Labs -----Original Message----- From: Nick Jacobsen [mailto:nick () ethicsdesign com] Sent: Monday, February 10, 2003 6:07 AM To: Loki; raul.johhut () hushmail com Cc: webappsec () securityfocus com Subject: Re: SQL Injection Basics Hmm... just a gues here, but if a developer is using VBScript as the scripting language, would SQL injection be impossible, since in
VBScript
the " ' " mark is a comment mark, and therefore never used in SQL statements? Nick J nick () ethicsdesign com ----- Original Message ----- From: "Loki" <loki () fatelabs com> To: <raul.johhut () hushmail com> Cc: <webappsec () securityfocus com> Sent: Saturday, February 08, 2003 9:16 PM Subject: Re: SQL Injection BasicsRaul: SQL injection is not replacing the userid field in the url with"sdfsd",its escaping an SQL query with a single tick (') that the developer doesn't escape (or in the case of PHP, GLOBALS is turned on in the php.ini). SQL injection is simply altering the SQL query sent to the SQL
server
and executing an a malicious query instead of what was expected by
the
developer. Depending on the remote server (Oracle, Microsoft SQL,MySQL,PostgreSQL), these statements will only differ based on their stored procedures. Microsoft SQL containing the more fun procedure of (xp_cmdshell) :) e.g. 'SELECT * FROM USERS Username: ' or 1=1-- There are several papers available on SQL injection attacks, one in particular written by Chris Anley at http://www.nextgenss.com/research/papers.html Typically, you can quickly check web apps for vulnerability toinjectionby just entering a single tick (') in the form submission field,hittingsubmit, and looking for any errors such as ODBC, etc. Loki Fate Research Labs www.fatelabs.com On Sat, 2003-02-08 at 20:21, raul.johhut () hushmail com wrote:I am pen testing a webapp and am having some problems with SQLinjection.The app creates an ODBC error. Is this a garuntee of SQL Injection
?
If I use www.victim/test.asp?userid=sfdsd the error is "inncorrect syntax near line 28 of test.asp" (or
thats
the English translation equiv in my case).I know the database is called master, and has a table test. What
is
the syntax I should use ?What are the best freeware and open source tools for testing SQLinjection ? I tried WPosion which was OK.I also tried WebSleuth (which seems to have gone from GPL to
closed
source commercial btw). Am I right is saying that the SQL plugin has
to
connect directly to the database to work ? I can only see port 80 so don't think this will work ?Thanks, Raul. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427-- Loki <loki () fatelabs com>
Current thread:
- SQL Injection Basics raul . johhut (Feb 08)
- Re: SQL Injection Basics Loki (Feb 09)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- RE: SQL Injection Basics Forrest Lee Andrews (Feb 10)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- Re: SQL Injection Basics Dave Aitel (Feb 10)
- RE: SQL Injection Basics Dennis Hurst (Feb 10)
- Re: SQL Injection Basics Taco Fleur (Feb 10)
- RE: SQL Injection Basics Robert Nilsen (Feb 10)
- Re: SQL Injection Basics Dirk Gomez (Feb 10)
- RE: SQL Injection Basics Keith Smith (Feb 10)
- Re: SQL Injection Basics Kevin Spett (Feb 10)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Dirk Gomez (Feb 11)
- Re: SQL Injection Basics Dejan Bosanac (Feb 11)
- Re: SQL Injection Basics Nick Jacobsen (Feb 10)
- Re: SQL Injection Basics Loki (Feb 09)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)