[WEB SECURITY] Numeric SQL injection ASP.NET

Oussama Gabi oussama.gabi at gmail.com
Wed Apr 27 05:47:02 EDT 2011


Hello guys,

For testing I put the enableViewStateMac to false, now there is no hash at
the end of the ViewState. Then I intercept the request with BurpProxy.

The ViewState code is
%2FwEPDwUKMTAxMTc1NDMyNA9kFgICAw9kFgICAQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQNOb20eDkRhdGFWYWx1ZUZpZWxkBQhJZF9WaWxsZR4LXyFEYXRhQm91bmRnZBAVBgpDYXNhYmxhbmNhBVJhYmF0BFNhZmkGVGFuZ2VyBkFnYWRpcgVTYWZpZRUGAzIwMAMyMDEDMjAyAzIwMwMyMDQDMjAyFCsDBmdnZ2dnZ2RkGAEFCUdyaWRWaWV3MQ88KwAKAQgCAWQ%3D

I get something like that when i decode it :
ÿ
1011754324dd

DataTextFieldNom
DataValueFieldId_Ville

_!DataBoundgd
CasablancaRabatSafiTangerAgadirSafie200201202203204202+ggggggdd
GridView1<+�
d

my goal is to add or 1=1 to display all the cities with tamperature .
So i add it after the value selected in the dropdownlist e.g 201, it will be
201 or 1=1
i encode the all to base64.
but i got an error session information is not valid....

i've tried to change the centent-length in vain..

I know it's stupid, but i wanna make this exemple..


*this is my Code* https://gist.github.com/943987

do you have any ideas please?


Thank you
Best regards
Oussama GABI

2011/4/25 Erlend Oftedal <erlend at oftedal.no>

>  Hi
>
> Sharing the code could be a good idea. Maybe put it up on github or
> something.
>
>
> Best regards,
> Erlend
>
>
>
> On 25.04.2011 17:38, Oussama Gabi wrote:
>
> Yes, i've disabled the enableValidation, for the ViewState i added
> EnableViewState=flase in the dropdownList without any result.
>
> The server response:
>
> Status=OK - 200
> Server=ASP.NET Development Server/10.0.0.0
> Date=Mon, 25 Apr 2011 16:22:39 GMT
> X-AspNet-Version=2.0.50727
> Cache-Control=private
> Content-Type=text/html; charset=utf-8
> Content-Length=1331
> Connection=Close
>
>
> Thank you very much
>
>
>  2011/4/25 Ryan Dewhurst <ryandewhurst at gmail.com>
>
>> Is the ViewState and EventValidation being URL encoded when being sent
>> back to the server?
>>
>> What is the HTTP response you are getting?
>>
>
>
>>
>> Ryan Dewhurst
>>
>> blog www.ethicalhack3r.co.uk
>> projects www.dvwa.co.uk | www.webwordcount.com
>> twitter www.twitter.com/ethicalhack3r
>>
>>
>>  On Mon, Apr 25, 2011 at 1:15 PM, Oussama Gabi <oussama.gabi at gmail.com>wrote:
>>
>>>  Hello guys,
>>>
>>> I am a beginner in web application Security, so I started to train on
>>> webgoat.i would like to make numeric SQL injection attack but in ASP.net.
>>> So I created a dropdownlist that retrieves the names of cities and a
>>> gridview for display!
>>> The problem is when I change the ID value with tamperdata, nothing
>>> happens. I look a bit and I think that's a problem with ViewState, so it's
>>> impossible to make this attack in ASP.net?
>>> how could circumvent this viewstate or  Disenable it for testing. Or any
>>> hint!
>>>
>>> Thank you !
>>>
>>>
>>> Best regards!
>>>
>>>
>>>  _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>>
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>
>>>
>>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feedhttp://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitterhttp://twitter.com/wascupdates
> websecurity at lists.webappsec.orghttp://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110427/f5c62301/attachment-0003.html>


More information about the websecurity mailing list