RE: SQL Injection data retrieving??

["Shields, Larry" <Larry.Shields () FMR COM>]

Just use blind SQL injection techniques documented in various
whitepapers on the topic to grab the data field within an AND, use
substring to grab a single letter, then do comparisons that return true
or false to see if it's greater than the letter 'm' or not.  If the page
returns normally, you've got a true condition, if it fails, you've got a
false condition.  Adjust your letter and continue until you have it.
Even if you can't return the entire field somewhere on the page, you can
use this technique to pull the data out (even if it's slow until you
automate the process).

See http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf for an
example.

-Larry


-----Original Message-----
From: Jonathan Angliss [mailto:jon () netdork net] 
Sent: Tuesday, September 14, 2004 4:29 PM
To: Roland Despins
Cc: webappsec () securityfocus com
Subject: Re: SQL Injection data retrieving??

Hi Roland,

Monday, September 13, 2004, 1:26:47 AM, you wrote:
> ou application is vulnerable to SQL injection and I'm trying to build 
> some sort of "exploit" in order to show them how simple it is to get 
> data out of our database! So they might consider security from a other

> point of view...

Extracting data is just one point of an exploit... you can always
destroy the data, or modify it so it is unusable. They might be more
influenced towards a more secure setup when all their data becomes
corrupt and unusuable, or even worse, missing.

--
Jonathan Angliss
(jon () netdork net)

I am Drunk of Borg. Resistance is floor tile!