RE: SQL Injection question

From: Yvan Boily (yboily@seccuris.com)
Date: Mon Jan 05 2004 - 15:38:05 EST


I couldn't agree more; you have uncovered a flaw within the application
because by passing unexpected values you have managed to trigger an
unrecoverable error condition. If you take the time and get creative you
may be able to determine a way to exploit the flaw, but not without a great
deal of investigation.

Because you were able to create the error condition you need to view the
source to determine the extent to which it can be done. If anything this
issue indicates that the application requires a code audit.

Yvan Boily

-----Original Message-----
From: Jeff Williams @ Aspect [mailto:jeff.williams@aspectsecurity.com]
Sent: Monday, January 05, 2004 12:56 PM
To: pen-test@securityfocus.com
Subject: Re: SQL Injection question

Sasa,

The only way you're ever going to know is if you review the code. The 500
may be the result of a validation mechanism that detects malformed input and
generates the error. Or it may be the result of a database call that is
failing and throwing an exception that is handled by a generic error
handler.

You can waste a lot of time trying various injections and combinations to
get a more detailed error message, but you'll never know for sure unless you
check the code. For SQL injection in particular, it's far more efficient to
check to make sure that all SQL query parameters are validated or sanitized
properly in the code.

--Jeff

Jeff Williams
Aspect Security
http://www.aspectsecurity.com

----- Original Message -----
From: Sasa Jusic
To: 'pen-test@securityfocus.com'
Sent: Monday, January 05, 2004 7:53 AM
Subject: SQL Injection question

Hi group,

I am conducting a Pen test for a customer, and last few days I have been
struggling with their Web application running on Apache/mod_ssl Web Server
using CGI interface. During the initial assessment I found several Web forms
using POST method, so I began searching for SQL Injection Vulnerabilities.

The problem is that forms are well protected, and they are only accepting
numeric values, so I can't insert any malicious characters to test for SQL
vulnerabilities. Then I discovered that the form input validation is done
with JavaScript code on the client side, so I used the Paros proxy tool for
intercepting and modification of submitted form values. In this way I
managed to submit the arbitrary data to the server, and the server response
was "500 Internal Server Error" without any useful information about the
error reason or underlying database structure. I tried various combinations
typical for SQL Injection assessment, but the response was always the same.

On several places I have red that this type of error is one of the possible
indicators of SQL Injection problems, so I would like to examine this
problem more carefully.

How can I know if this is really a SQL Injection problem or some other
error? Is there any way I can elicit some more information about the
structure of the database or any other useful information I can use for
further testing?

I don't have much practical experience with SQL Injection so I would really
appreciate any help.

Best regards,

Sasa.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT