WebApp Sec mailing list archives

SQL injection

From: "Francesco" <francesco () blackcoil com>
Date: Sun, 16 Jan 2005 22:33:50 -0800

I have just discovered that I can successfully inject the following SQL:

' OR 1=1; --

into the Username field of a logon form on a "secure" site in my
corporate network (Windows 2000, SQL 7.0).  When I do this, leaving the
password field blank, I am logged into the system as the first user in
the "Users" table in the DB which is being authenticated against.  LOL.

If I can get that far, can't I theoretically:

' OR 1=1; DELETE Users; --

or something similar?  Couldn't I EXEC some system sprocs this way too? 
How much damage/rooting can be done here?  I need to present a detailed
report to the admins.

Thanks,

Francesco
Francesco Sanfilippo
-------------------------------------------
Blackcoil Productions - http://blackcoil.com 
URL123 Link Service - http://url123.com

Current thread:

SQL injection Francesco (Jan 19)
- Re: SQL injection James Riden (Jan 23)
- Re: SQL injection Josh Zlatin-Amishav (Jan 23)
- RE: SQL injection John McGuire (Jan 23)
- Re: SQL injection exon (Jan 23)
- Re: SQL injection Serg Belokamen (Jan 23)
- Re: SQL injection Cory Foy (Jan 23)
- Re: SQL injection nummish (Jan 23)