Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SQL Injection - SQL query comments

from [suntzu123] Network Security [Permanent Link]
Subject: SQL Injection - SQL query comments
Date: 17 Dec 2005 02:23:25 -0000 
Hi list,

recently we came across a client engagement related to client's web site. 
During the assessment, it turned out that a PHP search page was possibly 

vulnerable to an sql injection, given that if we feed the search field of the 
page with the following classic input "hi' or 1=1" (without quotes), it returns 
the 

SQL query of the underlying PHP page (the user input goes between the %% pair 
in the LIKE clause):


SELECT ID, NAME, CLUB_CATEGORY_ID, ADDRESS, DRINK_PRICE, AREA_ID, PHONES, 
ARTISTS FROM CLUB WHERE ACTIVE = 1 AND NAME 

LIKE '%hi' or 1=1%' AND ID >0 ORDER BY NAME

The issue is that, when I tried to feed with a statement such as "' UNION 
SELECT username FROM USERS WHERE username like '%' --" (without the 

double quotes, and focusing to get a list of user names commenting out the rest 
of the query), we ended up in the following error: 

Error during SQL execution
SELECT ID, NAME, CLUB_CATEGORY_ID, ADDRESS, DRINK_PRICE, AREA_ID, PHONES, 
ARTISTS FROM CLUB WHERE ACTIVE = 1 AND NAME 

LIKE '%' UNION SELECT username FROM USERS WHERE username like '%' --

Given that the assumption that MySQL is running behind this PHP page, we failed 
to get the usernames from the MySQL system table "users"; the 

obvious result from this output is that the comments did not work as intended.

Have you ever faced such a situation ? Reading the documentation of all major 
databases (MS SQL, Oracle, MySQL, Informix, Ingres, Postgres, etc) it 

turns out that all of these databases should implement the univeral "--" 
commenting mechanism in their SQL queries. 

What am I missing here ??

Thanks in advance for your help,

st


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Cracking WEP and WPA keys, Matthias.Vallentin
Next by Date:  Re: Proper vulnerability disclosure process ????, InfoSecBOFH
Previous by Thread:  database scanning tools, Gus Fritschie
Next by Thread:  Re: SQL Injection - SQL query comments, Thor (Hammer of God)
Indexes:  [Date] [Thread] [Top] [All Lists]