Re: R: [Full-Disclosure] sql injection question
From: S G Masood (sgmasood_at_yahoo.com)
Date: 10/15/03
- Previous message: Anthony Aykut: "RE: [Full-Disclosure] FW: Last Microsoft Patch"
- In reply to: Manuel [ekerazha]: "R: [Full-Disclosure] sql injection question"
- Next in thread: Richard Stevens: "RE: [Full-Disclosure] sql injection question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Wed, 15 Oct 2003 13:19:02 -0700 (PDT)
Hi Richard,
A cursory glance tells me that it would be *very* easy
to gain unauthorised access to this database. It seems
anyone familiar with basic SQL injection can,
probably, exploit this script.
--
S.G.Masood
Hyderabad,
India.
--- "Manuel [ekerazha]" <ekerazha@yahoo.it> wrote:
> Yeah... you are vulnerable to sql-injection.
> You have to replace the single quotes with two
> quotes in the postdata
> received from the search form.
>
> ASP Ex: Replace(Request.Querystring("SOMETHING"),
> "'", "' '")
>
> Byeee ;-)
>
> P.S.
> Excuse me for my english :S
>
> -----Messaggio originale-----
> Da: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] Per
> conto di Richard Stevens
> Inviato: mercoledì 15 ottobre 2003 17.58
> A: full-disclosure@lists.netsys.com
> Cc: David Rees
> Oggetto: [Full-Disclosure] sql injection question
>
> Quick question for the list, if I may,
>
> We have a third party application that we are
> piloting for using as web
> store front end.
>
> I have no idea on programming sql at all, but have
> read of some of the sql
> injection techniques on this list.
>
> In the search box on the app, by inserting '
> followed by a space, the
> following message is generated:
>
>
----------------------------------------------------------------------------
> ----
>
> Technical Information (for support personnel)
>
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line
> 1: Incorrect syntax near
> ' insert into @promtable select a.ItemCode,
> a.SysNumber, a.TechDescription,
> a.InvoiceDescription, a.Classification,
> a.ProductGrou'.
> /eshop/search.asp, line 265
>
>
> Browser Type:
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
>
> Page:
> GET
>
/eshop/search.asp?SessionId=PR10006210200315411635Q3TLJ310ELW679PQ7Y&QuickSe
> arch=%27+
>
> Time:
> Wednesday, October 15, 2003, 4:45:30 PM
>
>
>
>
> Also, the password for SA is stored in clear text in
> the site in a text
> config file. This would not strike me as being
> sensible.
>
> These are both ringing alarm bells !
>
> From this info, would you assume it would be easy
> for someone skilled in sql
> injection to get unauthorised access to the
> database?.. or is it not that
> simple?
>
> The input seems to be filtered correctly on the
> logon.asp, as entering these
> characters has no apparent effect.
>
> TIA
>
> Richard
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Anthony Aykut: "RE: [Full-Disclosure] FW: Last Microsoft Patch"
- In reply to: Manuel [ekerazha]: "R: [Full-Disclosure] sql injection question"
- Next in thread: Richard Stevens: "RE: [Full-Disclosure] sql injection question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
