Ofline
91753 days on xHamster
9043M profile views
35180K subscribers
86018 comments left

Interdating net

We know that the tail end of the query is a comparison with the email address, so let's guess email as the name of the field: The intent is to use a proposed field name (email) in the constructed query and find out if the SQL is valid or not.

We don't care about matching the email address (which is why we use a dummy 'x'), and the -- marks the start of an SQL comment.

We were completely successful in this engagement, and wanted to recount the steps taken as an illustration.

"SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended.

We don't know the specific names of the fields or table involved, but we do know their nature, and we'll make some good guesses later.

When we enter when this is executed, the SQL parser find the extra quote mark and aborts with a syntax error.

So the first test in any SQL-ish form is to enter a single quote as part of the data: the intention is to see if they construct an SQL string literally without sanitizing.

We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches.Since the data we're filling in appears to be in the WHERE clause, let's change the nature of that clause in an SQL legal way and see what happens.By entering Because the application is not really thinking about the query - merely constructing a string - our use of quotes has turned a single-component WHERE clause into a two-component one, and the 'x'='x' clause is guaranteed to be true no matter what the first clause is (there is a better approach for this "always true" part that we'll touch on later).This appeared to be an entirely custom application, and we had no prior knowledge of the application nor access to the source code: this was a "blind" attack.A bit of poking showed that this server ran Microsoft's IIS 6 along with ASP.

But the fact that we were successful does suggest that we were not entirely misguided.

Please or register to post comments
If spammers comment on your content, only you can see and manage such comments Delete all

Interdating net introduction

Interdating net

Recent posts