Re: Simple to exploit SQL Injection ?

["Dean H. Saxe" <dean () fullfrontalnerdity com>]

Actually, it is not escaped, if it was the error would never occur.   
What you are seeing is the opening single quote from the query, the  
single quote passed by the user, the closing single quote from the  
query and a final single quote from the error message.  ;-)

-dhs

Dean H. Saxe, CEH
dean () fullfrontalnerdity com
"What difference does it make to the dead,  the orphans, and the  
homeless, whether the  mad destruction is wrought under the name of  
totalitarianism or the holy name of  liberty and democracy? "
    --Gandhi


On Nov 28, 2005, at 8:11 AM, Rich Bergmann wrote:






> The application is apparently "escaping" (doubling-up) quotes in the
> password field.  This is good practice, although a better (best?)  
> practice
> would be to parameterize the query.
>
> AFAIK, SQL injection on this form will be difficult, if not  
> impossible.
>
> -----Original Message-----
> From: Jason binger [mailto:cisspstudy () yahoo com]
> Sent: Sunday, November 27, 2005 7:50 PM
> To: webappsec () securityfocus com
> Subject: Simple to exploit SQL Injection ?
>
> I am reviewing a .Net web application. When entering
> xyz for a username and ' for a password into a form I
> receive the following stack trace (extract):
>
> System.Exception: Can't Load DataReader using SQL
> string: 'SELECT * FROM users WHERE username = 'xyz'
> AND password = '''' -- Unclosed quotation mark before
> the character string '''. Line 1: Incorrect syntax
> near '''.
>
> Now I would have thought this would be easy to
> exploit, but I can't bypass the logon page. xyz is a
> valid username. Any ideas?
>
> Cheers
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com