WebApp Sec mailing list archives
Re: SQL injection
From: Cory Foy <Cory.Foy () mobilehwy com>
Date: Wed, 19 Jan 2005 08:33:12 -0500
Francesco wrote:
I have just discovered that I can successfully inject the following SQL: ' OR 1=1; -- into the Username field of a logon form on a "secure" site in my corporate network (Windows 2000, SQL 7.0). When I do this, leaving the password field blank, I am logged into the system as the first user in the "Users" table in the DB which is being authenticated against. LOL. If I can get that far, can't I theoretically: ' OR 1=1; DELETE Users; --or something similar? Couldn't I EXEC some system sprocs this way too? How much damage/rooting can be done here? I need to present a detailedreport to the admins.
We recently had another discussion on this on the Bugtraq list, and I found this paper to be a great introduction to SQL Injection attacks:
http://www.unixwiz.net/techtips/sql-injection.htmlBut the short of it is that you can pretty much run anything that the executing account has permissions for, including inserts, updates, drops, stored procs, etc. In addition, by combining various techniques you can discover login details and the such.
It's a very common occurance (unfortunately) in the web world. Cory
Current thread:
- SQL injection Francesco (Jan 19)
- Re: SQL injection James Riden (Jan 23)
- Re: SQL injection Josh Zlatin-Amishav (Jan 23)
- RE: SQL injection John McGuire (Jan 23)
- Re: SQL injection exon (Jan 23)
- Re: SQL injection Serg Belokamen (Jan 23)
- Re: SQL injection Cory Foy (Jan 23)
- Re: SQL injection nummish (Jan 23)