lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20031015201902.22329.qmail@web11002.mail.yahoo.com>
From: sgmasood at yahoo.com (S G Masood)
Subject: R: sql injection question

Hi Richard,

A cursory glance tells me that it would be *very* easy
to gain unauthorised access to this database. It seems
anyone familiar with basic SQL injection can,
probably, exploit this script.

--
S.G.Masood
Hyderabad,
India.



--- "Manuel [ekerazha]" <ekerazha@...oo.it> wrote:
> Yeah... you are vulnerable to sql-injection.
> You have to replace the single quotes with two
> quotes in the postdata
> received from the search form.
> 
> ASP Ex: Replace(Request.Querystring("SOMETHING"),
> "'", "' '")
> 
> Byeee ;-)
> 
> P.S.
> Excuse me for my english :S
> 
> -----Messaggio originale-----
> Da: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] Per
> conto di Richard Stevens
> Inviato: mercoledì 15 ottobre 2003 17.58
> A: full-disclosure@...ts.netsys.com
> Cc: David Rees
> Oggetto: [Full-Disclosure] sql injection question
> 
> Quick question for the list, if I may,
> 
> We have a third party application that we are
> piloting for using as web
> store front end.
> 
> I have no idea on programming sql at all, but have
> read of some of the sql
> injection techniques on this list.
> 
> In the search box on the app, by inserting  '
> followed by a space, the
> following message is generated:
> 
>
----------------------------------------------------------------------------
> ----
> 
> Technical Information (for support personnel)
> 
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line
> 1: Incorrect syntax near
> ' insert into @promtable select a.ItemCode,
> a.SysNumber, a.TechDescription,
> a.InvoiceDescription, a.Classification,
> a.ProductGrou'.
> /eshop/search.asp, line 265
> 
> 
> Browser Type:
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 
> 
> Page:
> GET
>
/eshop/search.asp?SessionId=PR10006210200315411635Q3TLJ310ELW679PQ7Y&QuickSe
> arch=%27+ 
> 
> Time:
> Wednesday, October 15, 2003, 4:45:30 PM 
> 
> 
> 
> 
> Also, the password for SA is stored in clear text in
> the site in a text
> config file. This would not strike me as being
> sensible.
> 
> These are both ringing alarm bells !
> 
> From this info, would you assume it would be easy
> for someone skilled in sql
> injection to get unauthorised access to the
> database?.. or is it not that
> simple?
> 
> The input seems to be filtered correctly on the
> logon.asp, as entering these
> characters has no apparent effect.
> 
> TIA
> 
> Richard
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ