WebApp Sec mailing list archives

RE: yet another injection question


From: "Jacob Hurley" <jacobh () aos5 com>
Date: Tue, 15 Apr 2003 10:01:45 -0500



the problem is with your sql query to insert into the database, it's telling you that FOO can't be NULL.. so append to 
you INSERT / VALUE statement a value for FOO

looks like the hard part is over, if it was hard  :p


Jacob Hurley




-----Original Message-----
From: ronen [mailto:ronen () avnet co il]
Sent: Tuesday, April 15, 2003 2:49 AM
To: web-app-sec list
Subject: yet another injection question


Hello all,



While pen testing a web application, and bypassing the authentication using
a basic injection, I've tried to add a user to the database through a
built-in form.



However, when sending the URL, I received the follows:



[Microsoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL
into column 'FOO', table 'BAR'; column does not allow nulls. INSERT fails.





The request URL has a field named 'FOO', and I explicitly inserted a value
to that field.



I was logged in with a privileged user (seems to have the highest privileges
available ).



Any idea what's the reason for the mentioned ODBC error.



BTW, the system is a 'Microsoft SQL Server 7.00 - 7.00.1063' running on
Windows NT 5.0 (Build 2195: Service Pack 3).



Thanking you all in advance.



Ronen




Current thread: