Re: SQL injection

[Cory Foy <Cory.Foy () mobilehwy com>]

Francesco wrote:
> I have just discovered that I can successfully inject the following SQL:
>
> ' OR 1=1; --
>
> into the Username field of a logon form on a "secure" site in my
> corporate network (Windows 2000, SQL 7.0).  When I do this, leaving the
> password field blank, I am logged into the system as the first user in
> the "Users" table in the DB which is being authenticated against.  LOL.
>
> If I can get that far, can't I theoretically:
>
> ' OR 1=1; DELETE Users; --
>
> or something similar?  Couldn't I EXEC some system sprocs this way too? 
> How much damage/rooting can be done here?  I need to present a detailed
> report to the admins.

We recently had another discussion on this on the Bugtraq list, and I 
found this paper to be a great introduction to SQL Injection attacks:

http://www.unixwiz.net/techtips/sql-injection.html

But the short of it is that you can pretty much run anything that the 
executing account has permissions for, including inserts, updates, 
drops, stored procs, etc. In addition, by combining various techniques 
you can discover login details and the such.

It's a very common occurance (unfortunately) in the web world.

Cory