Empathy List Archives

O1

OxFFFF 1336

Sun, Aug 28, 2011 1:47 PM

Hey there,

I'm doing some researchs concerning SQL injection in cookies variable and
I want to now if there are previous papers or materials related to this.

I'll be glad if you can help me with this :)

Many thanx in advance,

Cheers

Hey there, I'm doing some researchs concerning *SQL injection in cookies* variable and I want to now if there are previous papers or materials related to this. I'll be glad if you can help me with this :) Many thanx in advance, Cheers

SG

Sandro Gauci

Sun, Aug 28, 2011 6:28 PM

Hello 65535,

The following advisory regarding OpenX and the associated demo video
described SQL injection using the cookie:

http://resources.enablesecurity.com/advisories/openx-2.6.4-multiple.txt

Any user input (in this case, any part of the HTTP request) can be
used for SQL injection if it is in some way passed to an SQL
statement. As usual, google is indeed your friend - there are various
documented cases of SQL injection through cookies :)

Sandro Gauci
Chief Consultant and Founder of EnableSecurity
Email: sandro@enablesecurity.com
Web: http://enablesecurity.com/
PGP: 514D B10C 8C3C 15BB 2EFD 49EC 7CCD 73C5 0295 F23B

On Sun, Aug 28, 2011 at 2:47 PM, OxFFFF 1336 0x1336.9@gmail.com wrote:

Hey there,

I'm doing some researchs concerning SQL injection in cookies variable and I
want to now if there are previous papers or materials related to this.

I'll be glad if you can help me with this :)

Many thanx in advance,

Cheers

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hello 65535, The following advisory regarding OpenX and the associated demo video described SQL injection using the cookie: http://resources.enablesecurity.com/advisories/openx-2.6.4-multiple.txt Any user input (in this case, any part of the HTTP request) can be used for SQL injection if it is in some way passed to an SQL statement. As usual, google is indeed your friend - there are various documented cases of SQL injection through cookies :) Sandro Gauci Chief Consultant and Founder of EnableSecurity Email: sandro@enablesecurity.com Web: http://enablesecurity.com/ PGP: 514D B10C 8C3C 15BB 2EFD 49EC 7CCD 73C5 0295 F23B On Sun, Aug 28, 2011 at 2:47 PM, OxFFFF 1336 <0x1336.9@gmail.com> wrote: > Hey there, > > I'm doing some researchs concerning SQL injection in cookies variable and I > want to now if there are previous papers or materials related to this. > > I'll be glad if you can help me with this :) > > Many thanx in advance, > > Cheers > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >

AA

Anurag Agarwal

Sun, Aug 28, 2011 7:50 PM

SQL injection does not happen in cookies. It happens in database. The
injection could be done via forms, url, cookies, web services, etc but the
data has to go to a database. So any material on sql injection is relevant
here as well.

So you may want to get more context on what is it that you are trying to do
via cookies.

Thanks,

Anurag Agarwal

MyAppSecurity LLC

Cell - 919-244-0803

Email - anurag@myappsecurity.com

Website - http://www.myappsecurity.com

Blog - http://myappsecurity.blogspot.com

LinkedIn - http://www.linkedin.com/in/myappsecurity

Twitter: https://twitter.com/#!/myappsecurity

From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of OxFFFF 1336
Sent: Sunday, August 28, 2011 9:47 AM
To: websecurity@lists.webappsec.org; websecurity@webappsec.org;
webappsec@securityfocus.com
Subject: [WEB SECURITY] SQL injection in cookies variable

Hey there,

I'm doing some researchs concerning SQL injection in cookies variable and I
want to now if there are previous papers or materials related to this.

I'll be glad if you can help me with this :)

Many thanx in advance,

Cheers

SQL injection does not happen in cookies. It happens in database. The injection could be done via forms, url, cookies, web services, etc but the data has to go to a database. So any material on sql injection is relevant here as well. So you may want to get more context on what is it that you are trying to do via cookies. Thanks, Anurag Agarwal MyAppSecurity LLC Cell - 919-244-0803 Email - anurag@myappsecurity.com Website - http://www.myappsecurity.com Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity Twitter: https://twitter.com/#!/myappsecurity From: websecurity-bounces@lists.webappsec.org [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of OxFFFF 1336 Sent: Sunday, August 28, 2011 9:47 AM To: websecurity@lists.webappsec.org; websecurity@webappsec.org; webappsec@securityfocus.com Subject: [WEB SECURITY] SQL injection in cookies variable Hey there, I'm doing some researchs concerning SQL injection in cookies variable and I want to now if there are previous papers or materials related to this. I'll be glad if you can help me with this :) Many thanx in advance, Cheers

A

albinowax@eml.cc

Sun, Aug 28, 2011 8:08 PM

I have an example page vulnerable to cookie-based SQLi at
http://hackxor.sourceforge.net/cgi-bin/portal.pl (and a similar page
with a slightly different exploit using JSP in the download)

Predictable self-promotion aside, cookie-based SQLi is very similar to
get/post based SQLi, except that certain characters can't be used. For
example, ';' and ',' are typically treated as delimiters, so they end
the injection if they aren't URL-encoded. A lot of these rules are
server specific though; Tomcat6/JSP treats whitespace as a delimeter
(which is easy to work around in mysql by using /**/ or %0A instead).

albino

On Sun, 28 Aug 2011 15:47 +0200, "OxFFFF 1336"
0x1336.9@gmail.com wrote:

Hey there,

I'm doing some researchs concerning SQL injection in cookies
variable and I want to now if there are previous papers or
materials related to this.

I'll be glad if you can help me with this :)

Many thanx in advance,

Cheers

I have an example page vulnerable to cookie-based SQLi at http://hackxor.sourceforge.net/cgi-bin/portal.pl (and a similar page with a slightly different exploit using JSP in the download) Predictable self-promotion aside, cookie-based SQLi is very similar to get/post based SQLi, except that certain characters can't be used. For example, ';' and ',' are typically treated as delimiters, so they end the injection if they aren't URL-encoded. A lot of these rules are server specific though; Tomcat6/JSP treats whitespace as a delimeter (which is easy to work around in mysql by using /**/ or %0A instead). albino On Sun, 28 Aug 2011 15:47 +0200, "OxFFFF 1336" <0x1336.9@gmail.com> wrote: Hey there, I'm doing some researchs concerning SQL injection in cookies variable and I want to now if there are previous papers or materials related to this. I'll be glad if you can help me with this :) Many thanx in advance, Cheers