RE: How to evade white spaces in a SQL injection

From: Jeff Bryner (jeff@jeffbryner.com)
Date: Tue Mar 30 2004 - 01:08:43 EST


Tough to give more without specifics but
you could aim for a query like:

select * from users where useid=useid+1
or
select * from users where useid=''+1

The 2nd one is more likely since they're proably adding the ' character to
whatever you enter.
So you'd enter '+1-- as the username. The first ' ends the ' they add, the
+1 tells sql to add 1 to a character field, which it can't do, the --
comments out the remainder of the query so it doesn't get parsed. SQL will
then return an error telling you it can't convert some valid username to an
int to complete your request for adding 1 to the username.

For example in sql try the following queries and see the return:
select *
from sysusers
where
user=user+1

select *
from sysusers
where
user=''+1

You'll get a message telling you that it can't convert some username to int.
This will tell you a valid username, then you go for a password..then you're
in!

Jeff.

-----Original Message-----
From: Falcifer [mailto:falcifer2001@yahoo.es]
Sent: Thursday, March 25, 2004 4:35 PM
To: jeff@jeffbryner.com
Cc: pen-test@securityfocus.com
Subject: Re: How to evade white spaces in a SQL injection

Sorry, but i dont understand it.

Can you explain it a bit more;

Suppous that the original query is:
select * from users where useid=&my_user_without_spaces and
password=&password

where &my_user_without_spaces and &password where the inputs submitted
by the webform but both vars without spaces;

Thanks

El jue, 25-03-2004 a las 18:13, Jeff Bryner escribió:
> --- Falcifer <falcifer2001@yahoo.es> wrote:
> > Hi,
> >
> > I've one aplication coded on asp with a login form and the only
> > character that it validates its the withe space.
> >
> > Can i perform a sql injection on it? how?
>
> SQL is nice enough to do some automatic parsing for you..so
>
> select''+@@version
>
> will work. Of course if the validation is client side, just bypass it.
>
>
>
> =====
> Jeff
> -----------------------
> You... you can't dump me! I'm using your name for all my passwords! What
exactly am I supposed to do about that!?
>
> - Justin Simoni
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT