WebApp Sec mailing list archives
RE: Simple to exploit SQL Injection ?
From: Pilon Mntry <pilonmntry () yahoo com>
Date: Mon, 28 Nov 2005 06:00:38 -0800 (PST)
If I understand correctly, it seems, they escape quotes on the password field. Like in PHP, when magic_quotes_gpc is on AND strings are used as sql params, SQL injection is impossible. here even -- trick won't work. You should try to tamper login parameter. -pilon --- "Haaland, Vegar Linge" <Vegar.Linge.Haaland () palantir no> wrote:
And you could try using: ' or ''=' As username and password. That will make the querry look like: SELECT * FROM users WHERE username = '' or ''='' AND password = '' or ''='' (Or anything that always is true; Some expamples: You could use: hi' or 'a'='a This will give you username = 'hi' or 'a'='a' This will "always" be true (if I real the querry right :P) , cause 'a' equals 'a' And so on. -----Original Message----- From: Yousef Syed [mailto:yousef.syed () gmail com] Sent: 28. november 2005 13:20 To: Jason binger Cc: webappsec () securityfocus com Subject: Re: Simple to exploit SQL Injection ? Hi Jason, Try the following Password: ' OR 1=1 -- That should give the following SQL: 'SELECT * FROM users WHERE username = 'xyz' AND password = '' OR 1=1 -- ' Since 1 always evaluates to 1, the rest of the SQL will be ignored and you should get the result you were expecting. Using the "--" comment, will stop anything else after this from being evaluated. That should stop you getting any syntax errors. ys -- Yousef Syed "One senior official said the consultancy "doesn't have the greatest of reputations among civil servants. They come and state the bleeding obvious using Powerpoint"." On 28/11/05, Jason binger <cisspstudy () yahoo com> wrote:I am reviewing a .Net web application. Whenentering xyz for ausername and ' for a password into a form Ireceive the followingstack trace (extract): System.Exception: Can't Load DataReader using SQL string: 'SELECT * FROM users WHERE username ='xyz'AND password = '''' -- Unclosed quotation markbefore the characterstring '''. Line 1: Incorrect syntax near '''. Now I would have thought this would be easy toexploit, but I can'tbypass the logon page. xyz is a valid username.Any ideas?Cheers __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005http://mail.yahoo.com
__________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
Current thread:
- Simple to exploit SQL Injection ? Jason binger (Nov 28)
- Re: Simple to exploit SQL Injection ? Eoin Keary (Nov 28)
- Re: Simple to exploit SQL Injection ? Yousef Syed (Nov 28)
- RE: Simple to exploit SQL Injection ? Rich Bergmann (Nov 28)
- Re: Simple to exploit SQL Injection ? Dean H. Saxe (Nov 29)
- RE: Simple to exploit SQL Injection ? Victor Chapela (Nov 29)
- Re: Simple to exploit SQL Injection ? bryan allott (Nov 29)
- <Possible follow-ups>
- RE: Simple to exploit SQL Injection ? Haaland, Vegar Linge (Nov 28)
- RE: Simple to exploit SQL Injection ? Pilon Mntry (Nov 29)
- RE: Simple to exploit SQL Injection ? Griffiths, Ian (Nov 28)
- RE: Simple to exploit SQL Injection ? LAROUCHE Francois (Nov 29)
- RE: Simple to exploit SQL Injection ? Matt Fisher (Nov 30)