Re: SQL Injection

From: Kevin Spett (kspett@spidynamics.com)
Date: 02/24/02 

From: "Kevin Spett" <kspett@spidynamics.com>
To: "Alex Harasic" <aharasic@terra.cl>, <pen-test@securityfocus.com>
Date: Sat, 23 Feb 2002 18:13:21 -0800

    Your input isn't going to a database server, it's being used in a
vbscript statement in the .asp script. The VBScript code is probably doing
some sort of calculation and freaked out when it tried to do it with
non-numeric data. So SQL injection probably won't be possible with that
parameter. If they're not sanitizing input on that script though, they're
probably not doing a great job in other places either. Keep on trying other
parts of the web application.

    Kevin.
    kspett@spidynamics.com

----- Original Message -----
From: "Alex Harasic" <aharasic@terra.cl>
To: <pen-test@securityfocus.com>
Sent: Wednesday, February 20, 2002 7:54 AM
Subject: SQL Injection

>
>
>
> Hi, I was trying SQL Injection things and I ran into the
> following problem:
>
> http://www.targethost.com/test.asp?pm=')
>
> And I get the following results:
>
> Microsoft VBScript runtime error '800a000d'
>
> Type mismatch: '[string: "'"]'
>
> D:\WEBROOT\..\..\include\ConstantesDNAfs.inc,
> line 53
>
>
>
> Ok. Besides the Path Disclosure problem, I'm trying
> to build a SQL Query but it seems the server won't
> let me pass quotes ( ' ) to it.
>
> If instead of sending ') as a parameter I just put a ', it
> brings me back to the start page.
>
> Is there any way to bypass this type mismatch
> thing?, I could make sql queries work with other .asp
> but not this one..
>
>
> Alex S. Harasic
> aharasic@terra.cl
>
> -------------------------------------------------------------------------- 

--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: sql injection with MS Access
    ... >I am currently testing SQL injection with a web application and MS Access ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: SQL Injection - retrieving all rows
    ... Suppose this is your SQL injection string: ... > This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • sql injection with MS Access
    ... I am currently testing SQL injection with a web application and MS Access ... for Access Database. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: sql injection with MS Access
    ... Can someone confirm that SQL injection is feasible with MS ... The following would be sent to the database: ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • SecurityFocus new article announcements
    ... The following two articles were published on SecurityFocus today: ... Detection of SQL Injection and Cross-site Scripting Attacks ... This article discusses techniques to detect SQL Injection and Cross Site ...
    (Security-Basics)