Exploiting SQL Injection

Networking/Security Forums -> Exploits // System Weaknesses

Author: Jason PostPosted: Sun Dec 01, 2002 5:22 pm    Post subject: Exploiting SQL Injection
Hi, this was taken from the following URL: http://www.security-forums.com/forum/viewtopic.php?t=602

saxo wrote:

5. Do Not Send SQL Queries Without Filtering User Input

SQL Injection is the process of exploiting a Web application, usually through a Web form, tricking it to pass malicious SQL statements to the database server. With Microsoft's SQL Server, this is often done by entering a single quote in the Web form, followed by the correctly formed SQL. For example, consider the following code to authenticate a user from a Web form:

strSQL="SELECT * FROM Customers WHERE Username = '" &Request("Username") & "' & Password = '" & strPassword & "'"

Now this code is quite typical of what you would see in a Web application. However, consider what would happen if the user entered the following:

Username: Test
Password: ' or True

When the strSQL string is built, the resulting SQL will be as follows:

strSQL="SELECT * FROM Customers WHERE Username = 'ValidUser' & Password= '' or True --'"

This statement will essentially return the ValidUser customer, regardless of what password is set for that account; the True condition will always cause the WHERE condition to match. Note that the double dash ("--") at the end of the statement acts as a comment character, ignoring the remaining characters.

To sanitize form input for sending to a database, always be sure to escape the single quote by searching and replacing it with two single quotes. This will cause the database to send the quote string as a literal character rather than interpreting it as the closing of a string. Be aware, however, that since numeric input does not require quotes, this technique will not be effective. In the case of numeric input, simply check that the form input is indeed numeric.

My question is, how do change the the statement type. Ie, if you have a select statement, how can you change this to a delete * statement on the fly?



Author: AverageJoeUserLocation: US PostPosted: Fri Dec 20, 2002 12:31 am    Post subject:
I would suggest looking around the 'net for some good papers. Off the top of my head, look to www.sqlsecurity.com and www.ngssoftware.com for some additional insight.


Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Fri Dec 20, 2002 1:26 am    Post subject:
I'm pretty sure I posted something about how to exploit SQL injection...but I'm buggered if I can find it.

Maybe it was on usenet..

Author: Jason PostPosted: Fri Dec 20, 2002 2:02 am    Post subject:
I think i figured this out a little while ago:


Select * from customers where name = 'joe' ; delete * from customers

Very Happy

From what i understand, the semicolon is supposed to let you "finish" the current statement and begin a new one. Not tested it.

Thanks for possting though. Will book mark the sites for future reference.


Author: AverageJoeUserLocation: US PostPosted: Fri Dec 20, 2002 6:55 pm    Post subject:
A good way to test for site vulnerability is to simply throw in a single quote (') in all user input fields. If these are feed directly into a SQL statement, it should fail (because you are appending an un-closed open quotation in the statement). This meaning that the backend DB is exposed and the front-end application is subject to exploit.

Also, user input is not limited to user input fields. Typical attack routes are URL querystring parameters, 'hidden' fields, cookies, and any other point where data from is used/expected from the client/user. Further, ASP-bound SQL can/will expose DB structure through standard ODBC error messages...so do your best to remove SQL from the presentation layer.

Anyway, those sites should offer enough information on what to look for. Good luck!


Author: Jason PostPosted: Fri Dec 20, 2002 7:05 pm    Post subject:
Cheers mate.

I got to that stage, it was just working out how to do something malicious with a select statement that i needed a bit of help with.

Thanks again.


Author: GiroLocation: England PostPosted: Sat Dec 21, 2002 12:08 am    Post subject:
http://www.nextgenss.com/research/papers.html might help?

Author: ComSec PostPosted: Sat Dec 21, 2002 12:58 am    Post subject:
here is another url link i posted ,related to SQL,you might pick some info up from here...dont know if its been up-dated yet with a few programs.


Networking/Security Forums -> Exploits // System Weaknesses

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group