[WEB SECURITY] SQL Injection

Will Jefferies wjefferies at fncinc.com
Wed Jul 12 15:35:18 EDT 2006


A sql injection is usually specific to the syntax of the original sql
query.  I use error messages from the web browser to try and determine
the structure of the query so that I can make syntax decisions.  I would
first try the old, faithful single tick method to try to throw an error.
If you get an error, try using the "having" and group keywords to map
the table columns and then use an insert statement to add something to
the database to prove you can do it.  I assume you are working on a demo
site and not a live production site. I am also assuming that you have
permission to do this...

This is usually my first avenue of exploration when exercising a blind
injection that was reported by automated software.  Hope it helps.  More
advanced injections can be explored.  I am just providing the initial
steps that I take personally.

Will

-----Original Message-----
From: Schmidt, Albert E [mailto:AES at ola.state.md.us] 
Sent: Wednesday, July 12, 2006 1:51 PM
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] SQL Injection

Can anybody please provide me with advice on constructing a SQL
Injection? I am currently auditing a web application.  During the audit
I performed a Paros scan.  The Paros scan resulted in showing several
area's were a SQL injection is possible; however, unless I can exploit a
SQL injection then I am not able to prove that SQL injection is
possible.  I am not looking for complex statements, just something
simple that will provide me information to prove injection is possible.

If you cannot provide this information could you please provide me with
a reference to a book or web page that can.

Thank you,

Albert E. Schmidt, CPA
Senior Information System Auditor
Office of Legislative Audits

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Confidentiality Notice: This message is for the sole use of the intended recipient(s).
It may contain confidential or proprietary information and may be subject to the
attorney-client privilege or other confidentiality protections. If this message was
misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any
confidentiality, privilege, or trade secrets. If you are not a designated recipient,
you may not review, print, copy, retransmit, disseminate, or otherwise use this message. 
If you have received this message in error, please notify the sender by reply e-mail 
and delete this message.

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list