WebApp Sec mailing list archives
RE: yet another injection question
From: "ronen" <ronen () avnet co il>
Date: Tue, 15 Apr 2003 19:21:41 +0200
Thanks Jacob. However, It seems that I didn’t explained myself correctly. Thousand apologies. The request that creates the user has a 'FOO' field already, and I made sure that this field will have an explicit value. This was done using the credentials of an existing an privileged user (the account was accessed with good old injection techniques). Thanks again for the help and the quick response. Ronen. -----Original Message----- From: Jacob Hurley [mailto:jacobh () aos5 com] Sent: Tuesday, April 15, 2003 5:02 PM To: ronen; web-app-sec list Subject: RE: yet another injection question the problem is with your sql query to insert into the database, it's telling you that FOO can't be NULL.. so append to you INSERT / VALUE statement a value for FOO looks like the hard part is over, if it was hard :p Jacob Hurley -----Original Message----- From: ronen [mailto:ronen () avnet co il] Sent: Tuesday, April 15, 2003 2:49 AM To: web-app-sec list Subject: yet another injection question Hello all, While pen testing a web application, and bypassing the authentication using a basic injection, I've tried to add a user to the database through a built-in form. However, when sending the URL, I received the follows: [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL into column 'FOO', table 'BAR'; column does not allow nulls. INSERT fails. The request URL has a field named 'FOO', and I explicitly inserted a value to that field. I was logged in with a privileged user (seems to have the highest privileges available ). Any idea what's the reason for the mentioned ODBC error. BTW, the system is a 'Microsoft SQL Server 7.00 - 7.00.1063' running on Windows NT 5.0 (Build 2195: Service Pack 3). Thanking you all in advance. Ronen
Current thread:
- yet another injection question ronen (Apr 15)
- Re: yet another injection question Kevin Spett (Apr 15)
- <Possible follow-ups>
- RE: yet another injection question Jacob Hurley (Apr 15)
- RE: yet another injection question ronen (Apr 15)
- RE: yet another injection question David Cameron (Apr 15)