WebApp Sec mailing list archives
RE: ODBC Injection
From: "Auri Rahimzadeh" <auri () auri net>
Date: Thu, 1 Dec 2005 07:44:33 -0500
(my original email never made it, so Im resending in plaintext jic)
Operation is not allowed when the object is closed.
What does your code look like (not all of it - just the connection and command execution pieces, about 3-5 lines total probably)? It should be throwing a different error, of course, if your connection is actually open and ADO is processing bad SQL - but your error looks like it is saying the connection is closed. This FAQ may help you regarding that error: http://www.aspfaq.com/show.asp?id=2307 To quote: --- BEGIN QUOTE Error: The operation requested by the application is not allowed if the object is closed. This error can be caused when you try to access values from an empty recordset or from a recordset that has already been closed. The most common cause, however, seems to stem from calling a stored procedure that does not use SET NOCOUNT ON. See Article #2275 for more info. A nearly identical, but far less common message: ADODB.Recordset error '800a0e79' Operation is not allowed when the object is open. /<file>.asp, line <line> This can be caused by trying to set a property that needs to be set before the object is opened. For example, trying to set the MaxRecords property of an ADODB.Recordset object after opening the recordset: <% set rs = CreateObject("ADODB.Recordset") rs.open "SELECT columns FROM tablename",conn rs.maxRecords = 5 %> To fix, the code should be: <% set rs = CreateObject("ADODB.Recordset") rs.maxRecords = 5 rs.open "SELECT columns FROM tablename",conn %> You might also get 800a0e78 errors from the provider, without much more useful information. If this happens when attempting to connect to the database, please review Article #2126 and compare your connection string to the recommended formats listed. -- END QUOTE Best, Auri Rahimzadeh Author, Geek My Ride Author, Hacking the PSP Co-Author, Hacking Digital Cameras -----Original Message----- From: John Cobb [mailto:johnc () nobytes com] Sent: Wednesday, November 30, 2005 6:39 AM To: webappsec () securityfocus com Subject: ODBC Injection Hello All, I'm testing an ecommerce app on IIS6 with an M$ Access Database and I have found some injection: http://test.com/test.asp?sIdProduct=1 I get the following error when I insert alpha characters rather than numbers. I cannot manipulate this much, does anybody have any suggestions? Eg: http://test.com/test.asp?sIdProduct=test Database operations error: ODBC driver does not support the requested properties. SELECT * FROM Products WHERE idProduct = test ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /test.asp, line 135 Thanks John Cobb www.nobytes.com
Current thread:
- ODBC Injection John Cobb (Nov 30)
- Re: ODBC Injection John Bond (Nov 30)
- RE: ODBC Injection DAN MORRILL (Nov 30)
- RE: ODBC Injection Brett Moore (Nov 30)
- Re: ODBC Injection Maxime Ducharme (Nov 30)
- <Possible follow-ups>
- RE: ODBC Injection Lepore, Brian (Nov 30)
- RE: ODBC Injection LAROUCHE Francois (Dec 01)
- RE: ODBC Injection Auri Rahimzadeh (Dec 01)