Re: SQL Injection Basics

I think you might be missing some basics here...

Am I right you assume you can access the table test by using test.asp? If so, you're missing the point, buy hey, we all need to learn...

The only thing you can do when performing SQL injections, is manipulating SQL queries, which can be stored in variables. Which means, if you can expect a certain .asp file to make connections towards the database, you could try a thing or two...

Lets say, there's a something like login.asp. Then you might assume, the variables in the HTML used for the username and password (we assume there is some kind of form used to pass these to the code), there could be a query like: "select * from db.users where name='$name' and password='$pass'"

If the database responds with 1, access could be granted , e.g.

What you could do then, to pass this authentication stage, would be to make the variable $pass to => ' or 1=1 ; which would give a query like:

"select * from db.users where name='blah' and password='blah' or 1=1"

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The database will focus on the 1=1, and will return a 1.

Other typical things are adding a user for example, in this case you make the variable $pass towards => '; insert into db.users name, password values ('myname','mypass');

which would insert your own account in the database. Now, there is one drawback on sql injections, most developers have some brains left, and do strip out quotes out of forms, you could get lucky using unicode representations, however, I'm not sure of that...

The best way to test these applications is indeed, having access to the database, and monitoring the queries being passed.

Hope I helped you out a bit, and good luck...

On Sun, 2003-02-09 at 02:21, raul.johhut@hushmail.com wrote:
> I am pen testing a webapp and am having some problems with SQL injection.

-- 
davy van de moere 
Securax bvba