RE: SQL Injection Basics

Nick,

It really doesn't matter if the developer used tick marks or not, just if you can inject something the developer didn't plan for into the SQL string. If an extra tick (and many other character combinations) gets injected anywhere in the string you will have SQL Injection issues.

If the developer does not parse for unexpected strings there are probably issues, regardless of what the SQL statement looks like.

Have a great day,

Dennis Hurst
dhurst@spidynamics.com
SPI Labs

-----Original Message-----
From: Nick Jacobsen [mailto:nick@ethicsdesign.com] Sent: Monday, February 10, 2003 4:38 PM
To: dhurst@spidynamics.com; webappsec@securityfocus.com Subject: Re: SQL Injection Basics

Right, I wasn't thinking too well... makes sense. Though, according to quite a few SQL injection faqs I have read, it said that you could only inject code if the developer used tick marks. However, I just recently used
SQL injection on some code where the developer used NO tick marks, but injection still worked if the injection string contained TWO tick marks. Was this just a fluke, or is it something that the faqs had wrong?

Nick J.
nick@ethicsdesign.com

• Original Message ----- From: "Dennis Hurst" <dhurst@spidynamics.com> To: "'Nick Jacobsen'" <nick@ethicsdesign.com> Cc: <webappsec@securityfocus.com> Sent: Monday, February 10, 2003 8:59 AM Subject: RE: SQL Injection Basics

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> Nick,
(ASP
> pages). Here's the deal, the ' only acts as a comment if it's in the
with
> something that acts like this:
VBScript
> the
> " ' " mark is a comment mark, and therefore never used in SQL
server
> > and executing an a malicious query instead of what was expected by
the
> > developer. Depending on the remote server (Oracle, Microsoft SQL,
?
> > >
> > > If I use www.victim/test.asp?userid=sfdsd
thats
> the
> English translation equiv in my case).
is
> the
> syntax I should use ?
closed
> source commercial btw). Am I right is saying that the SQL plugin has
to
> connect directly to the database to work ? I can only see port 80 so
Received on Mon Feb 10 17:33:15 2003