Thread: SQL injection
View Single Post

   
  #8 (permalink)  
Old 02-28-2008, 10:32 AM
Rik Wasmus
 
Posts: n/a
Default Re: SQL injection
On Fri, 01 Feb 2008 22:32:52 +0100, Kasper Lindberg <NoSp@m.invalid> wrote:
>>> I usually add a LIMIT clause for those sneaky bastards who check the
>>> number of matches.
>>> User: OR 1=1 LIMIT 1 -- (Or: OR 1=1 LIMIT 1 # )
>>> Pass: \
>>>
>>> Would create:
>>> .. where [passwordfield]='\' and [userfield]=' OR 1=1 LIMIT 1-- '
>>>
>>> Which would be fine if the query is all on one line & no ending
>>> delimiter is needed (PHP & MySQL for instance).
>
> And ASP as well
>
>>> I get a 500 internal error on that though:
>>> Error Type:
>>> Sun ONE ASP JavaScript runtime (0x80004005)
>>> 006~SQLState: 37000 Native Error Code: 1064 [MySQL][ODBC 3.51
>>> Driver][mysqld-4.1.11-Debian_4sarge8-log]You have an error in your SQL
>>> syntax; check the manual that corresponds to your MySQL server version
>>> for the right syntax to use near ''\')' at line 1
>>> /diverse/test/chekher.asp, line 97
>>>
>
> now thats intresting ...
> what types of SQL-statements would end with the characters ')
>
> To my knowlege, only the insert statement is logical in this case.
>
> One optimistic guess is, that you actually solved it with the
> limit-clause,
> but his logging of events (as mentioned, this is a test-setup) is what
> keeps
> me from being redirected to the confirmation-page.
>
>
> one guess would be, that the line 97 is something like:
>
> insert into logtable ([some fields],[userfield],[passwordfield]) values
> ([timestamps etc.],' or 1=1 -- ','\')

Very likely.

>> So, like PHP BTW, a ; in it followed by random stuff (or a valid query)
>> is
>> not possible. Oh the havoc I could've created by entering a DROP or
>> TRUNCATE query after it if it was supported (as soon as I found out the
>> tablenames offcourse).
>>
>
> well, I am trying to help the guy, not destroy his database .. play nice,
> okay

Hehe, ask to hack, be hacked, I'm just getting my feet wet here SQL
injection wise.

>> Error Type:
>> Sun ONE ASP JavaScript runtime (0x80004005)
>> 006~SQLState: S1T00 Native Error Code: 1045 [MySQL][ODBC 3.51
>> Driver][mysqld-4.1.11-Debian_4sarge8-log]Access denied for user
>> 'vipom_dk'@'localhost' (using password: YES)
>> /diverse/test/chekher.asp, line 87
>>
>> No FILE privilage most likely, and I'm not really about to sign up with
>> http://www.one.com to check out their directory structure anyway.
>>
>
> Well, Asking ther (in)competent support to grant those privileges, might
> do
> the trick.

oe.com is all about one size fits all, no way you're getting those
priviliges (and I wouldn't give anyone those in a controlled environment
anyway).


>> The 'check the manual that corresponds to your MySQL server version for
>> the right syntax to use near ''\')' at line 1 /diverse/test/chekher.asp,
>> line 97' is still intriguing me though... It must be either
>> ...SOMEFUNCTION('<password>')..., or ...VALUES(...,'<password>')...,
>> which
>> obviously fails due to the fact we can't do anything about not closing
>> he ) at that point. I wonder whether it's another check that fails, or
>> some update/insert statement.
>>
>
> I belive it to be the later option.
>
>> Now I'm really going to do something productive, after commenting that
>> while hacking has not (yet) succeeded, maybe using ' OR 1=1 FOR UPDATE
>> --
>> ' as a username continously could seriously hinder his ability to alter
>> the users database.
>
> Explain please, what would that acheive?

Locking all rows matched for the duration of the transaction, so they
wouldn't be able to update or delete those rows. Not really of interest in
a low traffic site, where a simultanious alter/delete command combined
with the lock would be extremely rare. On a high traffic site (and with
anough (almost ddos) power behind the login attempts however, it could
render all your users incapable of chaging anything about their record.

>> On that note: never ever show database errors to the users. They are
>> only
>> a clue for the potential harmfull, and a nuisance for normal users. Log
>> errors, show a nice page 'something has failed, our apologies'.
>
> Exactly what I am going to tell him, when I'm done.

Hehe, indeed, leave them on for now, I might have inspiration tomorrow.....
--
Rik Wasmus
Reply With Quote