RE: SQL injection (no single quotes used)

> Thanks and sorry for sending a not so tested POC to
> all of you.

Don't be... I often use the CR/LF pairs to bypass filters
in SQL (against MS SQL). %0a%0d can sometimes work, but it
is better to send the 'raw' bytes as a post. Using a
textarea field works great for this.

The GO statement, (from memory and what ppl are saying)
will not work. But this method can be used to bypass
filters that remove spaces.

select
something
from
somewhere

is a valid statement.

Also to bypass filters that look explicitly for strings,
which is always a bad idea.
For example if a filter looked for
"select ","update " or any term with a space after it.
Things like "exec master" etc, can also be bypassed.

Brett Moore
Network Intrusion Specialist, CTO
Security-Assessment.com

-----Original Message-----
From: Juan Carlos [mailto:johnccr@yahoo.com]
Sent: Thursday, 16 December 2004 5:50 a.m.
To: Olivier G. Gaumond
Cc: webappsec@securityfocus.com
Subject: Re: SQL injection (no single quotes used)


on my!

you are right, this won't work with ADO for example,
my bad :(

Thanks and sorry for sending a not so tested POC to
all of you.

-JC

 --- "Olivier G. Gaumond" <olig@monimap.com> escribió:

> Juan Carlos Calderon wrote:
> > Here the MS Documentation for GO Keyword:
> > <snip>
> > SQL Server utilities interpret GO as a signal that
> > they should send the current batch of Transact-SQL
> > statements to SQL Server. The current batch of
> > statements is composed of all statements entered
> since
> > the last GO, or since the start of the ad hoc
> session
> > or script if this is the first GO
> > </snip>
>
> This may work in SQL Server utilities such as Query
> Analyzer, but the GO
> keyword is not part of the T-SQL language, so this
> would not work in a
> query sent by ADO.  At least it doesn't work with
> the ADO.NET SqlClient
> provider.
>
> Olivier

> ATTACHMENT part 2 application/x-pkcs7-signature
name=smime.p7s


_________________________________________________________
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com


######################################################################
CONFIDENTIALITY NOTICE: 

This message and any attachment(s) are confidential and proprietary. 
They may also be privileged or otherwise protected from disclosure. If 
you are not the intended recipient, advise the sender and delete this 
message and any attachment from your system. If you are not the 
intended recipient, you are not authorised to use or copy this message 
or attachment or disclose the contents to any other person. Views 
expressed are not necessarily endorsed by Security-Assessment.com 
Limited. Please note that this communication does not designate an 
information system for the purposes of the New Zealand Electronic 
Transactions Act 2003.
######################################################################