[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: R: [Full-Disclosure] sql injection question
- To: full-disclosure@lists.netsys.com
- Subject: Re: R: [Full-Disclosure] sql injection question
- From: S G Masood <sgmasood@yahoo.com>
- Date: Wed, 15 Oct 2003 13:19:02 -0700 (PDT)
Hi Richard,
A cursory glance tells me that it would be *very* easy
to gain unauthorised access to this database. It seems
anyone familiar with basic SQL injection can,
probably, exploit this script.
--- "Manuel [ekerazha]" <ekerazha@yahoo.it> wrote:
> Yeah... you are vulnerable to sql-injection.
> You have to replace the single quotes with two
> quotes in the postdata
> received from the search form.
> ASP Ex: Replace(Request.Querystring("SOMETHING"),
> "'", "' '")
> Byeee ;-)
> P.S.
> Excuse me for my english :S
> -----Messaggio originale-----
> Da: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] Per
> conto di Richard Stevens
> Inviato: mercoledì 15 ottobre 2003 17.58
> A: full-disclosure@lists.netsys.com
> Cc: David Rees
> Oggetto: [Full-Disclosure] sql injection question
> Quick question for the list, if I may,
> We have a third party application that we are
> piloting for using as web
> store front end.
> I have no idea on programming sql at all, but have
> read of some of the sql
> injection techniques on this list.
> In the search box on the app, by inserting '
> followed by a space, the
> following message is generated:
> ----
> Technical Information (for support personnel)
> Error Type:
> Microsoft OLE DB Provider for ODBC Drivers
> (0x80040E14)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Line
> 1: Incorrect syntax near
> ' insert into @promtable select a.ItemCode,
> a.SysNumber, a.TechDescription,
> a.InvoiceDescription, a.Classification,
> a.ProductGrou'.
> /eshop/search.asp, line 265
> Browser Type:
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
> Page:
> arch=%27+
> Time:
> Wednesday, October 15, 2003, 4:45:30 PM
> Also, the password for SA is stored in clear text in
> the site in a text
> config file. This would not strike me as being
> sensible.
> These are both ringing alarm bells !
> From this info, would you assume it would be easy
> for someone skilled in sql
> injection to get unauthorised access to the
> database?.. or is it not that
> simple?
> The input seems to be filtered correctly on the
> logon.asp, as entering these
> characters has no apparent effect.
> Richard
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html