[WEB SECURITY] SQL Injection via UserHostAddress function

Shlomi Narkolayev shlominar at gmail.com
Sun May 9 01:39:37 EDT 2010

You can write asp page that write to file the Request.UserHostAddress value,
after that just alter the Host header HTTP packet generator tool (You can
use Burp) and see if it's getting the value from the Host header or from
other source (like from the TCP stack). If it's getting the value from the
Host header so you can easily execute SQLi attacks.

Kind Regards,
Narkolayev Shlomi.

Visit my blog: http://Narkolayev-Shlomi.blogspot.com

On Sun, May 9, 2010 at 12:44 AM, NeZa <neza0x at gmail.com> wrote:

> There is a site which makes decisions based on the client ip address. This
> info is gotten via .NET Page.Request.UserHostAddress method so, apart from
> doing some kind of sniffing stuff which clearly would be the first attack
> vector, I realized that once this value is gotten, it is directly paste into
> a SQL query without proper encoding which could introduce a SQL Injection
> flaw.
> So, wondering whether there is a way to alter the REMOTE Address value
> without affecting the TCP connection?
> But honestly, I am not sure how this UserHostAddress get the Remote IP
> Address, is this via REMOTE_ADDR env? HTTP Header?
> Another option that came to my mind is to use a Proxy which can alter this
> value without affecting the TCP communication.
> Any thought?
> --
> Daniel Regalado
> NeZa Rifa!!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100509/5d4af6f0/attachment.html>

More information about the websecurity mailing list