WebApp Sec mailing list archives

RE: ODBC Injection

From: "Auri Rahimzadeh" <auri () auri net>
Date: Thu, 1 Dec 2005 07:44:33 -0500

(my original email never made it, so Im resending in plaintext jic)

Operation is not allowed when the object is closed.


What does your code look like (not all of it - just the connection and
command execution pieces, about 3-5 lines total probably)? It should be
throwing a different error, of course, if your connection is actually open
and ADO is processing bad SQL - but your error looks like it is saying the
connection is closed.

This FAQ may help you regarding that error:

http://www.aspfaq.com/show.asp?id=2307

To quote:

--- BEGIN QUOTE
 
Error: The operation requested by the application is not allowed if the
object is closed.
 
This error can be caused when you try to access values from an empty
recordset or from a recordset that has already been closed. The most common
cause, however, seems to stem from calling a stored procedure that does not
use SET NOCOUNT ON. See Article #2275 for more info. 
 
A nearly identical, but far less common message: 
 
ADODB.Recordset error '800a0e79'  
Operation is not allowed when the object is open. 
/<file>.asp, line <line>
 
This can be caused by trying to set a property that needs to be set before
the object is opened. For example, trying to set the MaxRecords property of
an ADODB.Recordset object after opening the recordset: 
 
<% 
    set rs = CreateObject("ADODB.Recordset") 
    rs.open "SELECT columns FROM tablename",conn 
    rs.maxRecords = 5 
%>
 
To fix, the code should be: 
 
<% 
    set rs = CreateObject("ADODB.Recordset") 
    rs.maxRecords = 5 
    rs.open "SELECT columns FROM tablename",conn 
%>
 
You might also get 800a0e78 errors from the provider, without much more
useful information. If this happens when attempting to connect to the
database, please review Article #2126 and compare your connection string to
the recommended formats listed.

-- END QUOTE


Best,

Auri Rahimzadeh
Author, Geek My Ride
Author, Hacking the PSP
Co-Author, Hacking Digital Cameras

-----Original Message-----
From: John Cobb [mailto:johnc () nobytes com] 
Sent: Wednesday, November 30, 2005 6:39 AM
To: webappsec () securityfocus com
Subject: ODBC Injection

Hello All,

I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have
found some injection:

http://test.com/test.asp?sIdProduct=1

I get the following error when I insert alpha characters rather than
numbers.
I cannot manipulate this much, does anybody have any suggestions?

Eg:

http://test.com/test.asp?sIdProduct=test


Database operations error:

ODBC driver does not support the requested properties.

SELECT * FROM Products WHERE idProduct = test

ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/test.asp, line 135

Thanks

John Cobb
www.nobytes.com

Current thread:

ODBC Injection John Cobb (Nov 30)
- Re: ODBC Injection John Bond (Nov 30)
- RE: ODBC Injection DAN MORRILL (Nov 30)
- RE: ODBC Injection Brett Moore (Nov 30)
- Re: ODBC Injection Maxime Ducharme (Nov 30)
- <Possible follow-ups>
- RE: ODBC Injection Lepore, Brian (Nov 30)
- RE: ODBC Injection LAROUCHE Francois (Dec 01)
- RE: ODBC Injection Auri Rahimzadeh (Dec 01)