WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ODBC Injection

From: "Brett Moore" <brett.moore () security-assessment com>
Date: Thu, 1 Dec 2005 09:23:17 +1300
Hey..


ODBC driver does not support the requested properties.

the script is trying to work with an unpopulated recordset.
The code would look ' in theory ' similar to;
----------------------------------------
  Set Conn = Server.CreateObject("ADODB.Connection")
  Set Rs = Server.CreateObject("ADODB.Recordset")
  Conn.Open dsn
  SQL = "SELECT foo FROM blah where something=" & request("sIdProduct")
  rs.open sql,conn

  response.write rs("FIELD")
----------------------------------------
 
As the result of the returned recordset is not checked the 'response.write'
is attempting to work on an empty recordset.


Brett Moore
Network Intrusion Specialist, CTO
Security-Assessment.com 

-----Original Message-----
From: John Cobb [mailto:johnc () nobytes com] 
Sent: Thursday, 1 December 2005 12:39 a.m.
To: webappsec () securityfocus com
Subject: ODBC Injection

Hello All,

I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have
found some injection:

http://test.com/test.asp?sIdProduct=1

I get the following error when I insert alpha characters rather than
numbers.
I cannot manipulate this much, does anybody have any suggestions?

Eg:

http://test.com/test.asp?sIdProduct=test


Database operations error:

ODBC driver does not support the requested properties.

SELECT * FROM Products WHERE idProduct = test

ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/test.asp, line 135

Thanks

John Cobb
www.nobytes.com






e-mail protected and scanned by Bizo Email Filter - powered by Advascan
Previous By Date Next
Previous By Thread Next

Current thread: