Re: Is this expoitable via sql injection?

[Rogan Dawes <discard () dawes za net>]

Nils Gundelach wrote:
> Hi,
>
> i get the following error if i use foo"bar as username on a friends page:
>
> You have an error in your SQL syntax near 'bar$" AND `password` = 
> '5f4dcc3b5aa765d61d8327deb882cf99'' at line 3] ( 1064 : You have an 
> error in your SQL syntax near 'bar$" AND `password` = 
> '5f4dcc3b5aa765d61d8327deb882cf99'' at line 3 )
>
> foo'bar does nothing. The password field is immune to injects with 
> double quotes.
>
> I think it is not exploitable, but i'm not an sql expert.
>
> Regards,
> Nils

I'd guess that your query looks something like:

query = 'SELECT * FROM XXX WHERE USERNAME = "' + username + '}$"';

I'm not sure which of the password fields you supplied, but it does not 
look right in the error message. One field should not have any quotes 
around it, I think?

Nonetheless, from the first part, we should still be able to inject SQL, 
using something like:

username = 'foo$"--' // if you want to get access to user foo

I add the '$' into the username, as it appears that the script does so 
itself. Maybe the database is structured something like:

username$, MD5(Password)

Maybe I'm reading your error message wrong, though.

Regards,

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"