Jason,
I agree with Rich, it seems your ' is being escaped by adding a second one.
This should be interpreted by the database as a single quote within the
quoted string '...'. This is very difficult to escape. The error message is
very interesting though, you should not have gotten an error message in most
databases. Is this a MS SQL Server? Do you get an ODBC error? Is it Java,
PHP, ASP or ASPX? (it seems to be
ADO.NET)
This error condition could prove to be very useful, if the database is not
recognizing two quotes as an escaped quote you may be able to get out of the
string.
You should try to find some inconsistency in the way the additional ' is
added. Try and see what happens if:
- You add more than one '
- You use the unicode equivalent %27
- You convert the POST to a GET by adding the parameters in the URL
- Use a proxy and see what other information is being sent in the form; any
hidden parameters?
- Is the additional quote being added through a Java script running on the
client side?
- Does the error occur in the same page that is validating and adding the
extra quote? if not, can you call the query page directly?
Good luck,
Victor
-----Original Message-----
From: Jason binger [mailto:cisspstudy@yahoo.com]
Sent: November 27, 2005 6:50 PM
To: webappsec@securityfocus.com
Subject: Simple to exploit SQL Injection ?
I am reviewing a .Net web application. When entering xyz for
a username and ' for a password into a form I receive the
following stack trace (extract):
System.Exception: Can't Load DataReader using SQL
string: 'SELECT * FROM users WHERE username = 'xyz'
AND password = '''' -- Unclosed quotation mark before the
character string '''. Line 1: Incorrect syntax near '''.
Now I would have thought this would be easy to exploit, but I
can't bypass the logon page. xyz is a valid username. Any ideas?
Cheers
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
http://www.sm4rt.com/links
