RE: How to evade white spaces in a SQL injection
From: Jeff Bryner (jeff_at_jeffbryner.com)
Date: 03/30/04
- Previous message: Don Parker: "Re: nmap shows open UDP port 113"
- In reply to: Falcifer: "Re: How to evade white spaces in a SQL injection"
- Next in thread: Javier Fernandez-Sanguino: "Re: How to evade white spaces in a SQL injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Falcifer" <falcifer2001@yahoo.es> Date: Mon, 29 Mar 2004 22:08:43 -0800
Tough to give more without specifics but
you could aim for a query like:
select * from users where useid=useid+1
or
select * from users where useid=''+1
The 2nd one is more likely since they're proably adding the ' character to
whatever you enter.
So you'd enter '+1-- as the username. The first ' ends the ' they add, the
+1 tells sql to add 1 to a character field, which it can't do, the --
comments out the remainder of the query so it doesn't get parsed. SQL will
then return an error telling you it can't convert some valid username to an
int to complete your request for adding 1 to the username.
For example in sql try the following queries and see the return:
select *
from sysusers
where
user=user+1
select *
from sysusers
where
user=''+1
You'll get a message telling you that it can't convert some username to int.
This will tell you a valid username, then you go for a password..then you're
in!
Jeff.
-----Original Message-----
From: Falcifer [mailto:falcifer2001@yahoo.es]
Sent: Thursday, March 25, 2004 4:35 PM
To: jeff@jeffbryner.com
Cc: pen-test@securityfocus.com
Subject: Re: How to evade white spaces in a SQL injection
Sorry, but i dont understand it.
Can you explain it a bit more;
Suppous that the original query is:
select * from users where useid=&my_user_without_spaces and
password=&password
where &my_user_without_spaces and &password where the inputs submitted
by the webform but both vars without spaces;
Thanks
El jue, 25-03-2004 a las 18:13, Jeff Bryner escribió:
> --- Falcifer <falcifer2001@yahoo.es> wrote:
> > Hi,
> >
> > I've one aplication coded on asp with a login form and the only
> > character that it validates its the withe space.
> >
> > Can i perform a sql injection on it? how?
>
> SQL is nice enough to do some automatic parsing for you..so
>
> select''+@@version
>
> will work. Of course if the validation is client side, just bypass it.
>
>
>
> =====
> Jeff
> -----------------------
> You... you can't dump me! I'm using your name for all my passwords! What
exactly am I supposed to do about that!?
>
> - Justin Simoni
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
- Previous message: Don Parker: "Re: nmap shows open UDP port 113"
- In reply to: Falcifer: "Re: How to evade white spaces in a SQL injection"
- Next in thread: Javier Fernandez-Sanguino: "Re: How to evade white spaces in a SQL injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
