Re: SQL injection

Francesco wrote:
> I have just discovered that I can successfully inject the following SQL:
>
> ' OR 1=1; --
>
> into the Username field of a logon form on a "secure" site in my
> corporate network (Windows 2000, SQL 7.0).  When I do this, leaving the
> password field blank, I am logged into the system as the first user in
> the "Users" table in the DB which is being authenticated against.  LOL.
>
> If I can get that far, can't I theoretically:
>
> ' OR 1=1; DELETE Users; --

With proper SQL, yes (the above is not).

> or something similar?  Couldn't I EXEC some system sprocs this way too?

Not normally, no.

> How much damage/rooting can be done here?

No rooting, but you should be able to create a privileged account for 
yourself or update the password of some other user so you can use that. 
Google for SQL injections. You should find about 20000 pages.

>  I need to present a detailed
> report to the admins.

Yeah, right.

> Thanks,
>
> Francesco
> Francesco Sanfilippo
> -------------------------------------------
> Blackcoil Productions - http://blackcoil.com 
> URL123 Link Service - http://url123.com