WebApp Sec mailing list archives
RE: Simple to exploit SQL Injection ?
From: "Matt Fisher" <mfisher () spidynamics com>
Date: Tue, 29 Nov 2005 20:27:06 -0500
If you're getting that stack trace and you're NOT on the local machine, ,then someone misconfig'd the web.config. Take a look at the Custom Errors heading and make sure they're set to either ON or REMOTE. If they're OFF, then anyone who generates a 500 will get a stack trace or worse. I knew a dude once who studied up and studied up on SQL Injection then asked me to test his site. While his queries were all tight, he misconf'd the custom errors, so I got all his source code anyhow. Here's an interesting article on accidentally pushing debug code to production too. Definitely something to be avoided. http://www.aspnetresources.com/articles/debug_code_in_production.aspx
-----Original Message----- From: bryan allott [mailto:homegrown () bryanallott net] Sent: Monday, November 28, 2005 2:43 PM To: Jason binger; webappsec () securityfocus com Subject: Re: Simple to exploit SQL Injection ? just a by-the-by... although not a successful SQL injection attack, the error message you're receiving as a public user already tell you a little about their database... Probably not too much to go with, but a better exception message would have been: "Invalid credentials" or something equally generic and less revealing. so probably also be on the lookout for other places where more information is displayed than usual.. other famous .Net parser and other jit compile errors tell u quite a bit about the filesystem :) ----- Original Message ----- From: "Jason binger" <cisspstudy () yahoo com> To: <webappsec () securityfocus com> Sent: Monday, November 28, 2005 2:49 AM Subject: Simple to exploit SQL Injection ? I am reviewing a .Net web application. When entering xyz for a username and ' for a password into a form I receive the following stack trace (extract): System.Exception: Can't Load DataReader using SQL string: 'SELECT * FROM users WHERE username = 'xyz' AND password = '''' -- Unclosed quotation mark before the character string '''. Line 1: Incorrect syntax near '''. Now I would have thought this would be easy to exploit, but I can't bypass the logon page. xyz is a valid username. Any ideas? Cheers __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.8/184 - Release Date: 27-Nov-05
Current thread:
- Re: Simple to exploit SQL Injection ?, (continued)
- Re: Simple to exploit SQL Injection ? Eoin Keary (Nov 28)
- Re: Simple to exploit SQL Injection ? Yousef Syed (Nov 28)
- RE: Simple to exploit SQL Injection ? Rich Bergmann (Nov 28)
- Re: Simple to exploit SQL Injection ? Dean H. Saxe (Nov 29)
- RE: Simple to exploit SQL Injection ? Victor Chapela (Nov 29)
- Re: Simple to exploit SQL Injection ? bryan allott (Nov 29)
- RE: Simple to exploit SQL Injection ? Haaland, Vegar Linge (Nov 28)
- RE: Simple to exploit SQL Injection ? Pilon Mntry (Nov 29)
- RE: Simple to exploit SQL Injection ? Griffiths, Ian (Nov 28)
- RE: Simple to exploit SQL Injection ? LAROUCHE Francois (Nov 29)
- RE: Simple to exploit SQL Injection ? Matt Fisher (Nov 30)