Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: BLIND SQL Injection Question

from [Yanyan Wang] Network Security [Permanent Link]
Subject: Re: BLIND SQL Injection Question
Date: Thu, 13 Dec 2007 10:46:21 -0500 
The two scans were done in the same day, only 30 minutes apart from each other. 

The result might be alse positive as 

   foo.cgi?email=valid+sql returns "'valid+sql' is not a valid email".

   foo.cgi?email=invalid+sql returns "'invalid+sql' is not a valid email".

returned the same value, but the page is not accessing sql in that page. On 
pages that do access sql, this method fails because they returned different 
values. I'm just perplexed why would same identical scan return two different 
reports. 

Would it have anything to do with this bug?

req = http_get(item:bogus_vrequest, port:port);
        bres = http_keepalive_send_recv(port:port, data:req);

        if (egrep(string:bres, pattern:"^HTTP/1\..*200 OK"))
        {
               exit(0);
        }

BLIND SQL injection seems to associate with high false positive in other tools 
as well, so I was wondering if it has anything to do with the theory, maybe 
there are flaws in the theory? Or maybe we haven't implemented a functional 
program for it? Thank you.

YanYan



"George A. Theall" <theall@tenablesecurity.com> 12/13/2007 7:04 AM >>>

It was done in Sept. :( I just got the feedback from the audit.


And the second scan after October 27th? If so, that probably explains it.


I've come to realization that the script is prone to false positive,
but does the theory still work? Thank you.


Given the false-positives it was producing, apparently it doesn't.

The approach used was to send the blind query using valid SQL attached 
to a parameter; provided that resulted in the same headers as sending a 
valid query, the plugin next sends invalid SQL attached to the parameter 
and issues a report if the response is different. If the script returns 
the parameter in some fashion, this could result in a false-positive; eg,

   foo.cgi?email=valid+sql returns "'valid+sql' is not a valid email".

   foo.cgi?email=invalid+sql returns "'invalid+sql' is not a valid email".

If the sysadmin were more cooperative, you could try using the URL(s) 
reported in the first scan and seeing what sort of database queries they 
result in.

George
-- 
theall@tenablesecurity.com

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Web Front for Nessus, Eric Appelboom
Next by Date:  XSL for ".nessus" format, Mike . Vasquez
Previous by Thread:  Re: BLIND SQL Injection Question, George A. Theall
Next by Thread:  Re: BLIND SQL Injection Question, George A. Theall
Indexes:  [Date] [Thread] [Top] [All Lists]