From: Adam Tuliper (amt@gecko-software.com)
Date: Mon Jan 05 2004 - 17:10:25 EST
Hi Sasa,
You mentioned it gave you a:
"500 Internal Server Error" without any useful information
about the error reason or underlying database structure."
Do you by any chance have "show friendly http error
messages" checked on in the IE settings?
Adam Tuliper
Gecko Software LLC.
> ----- Original Message -----
> From: Sasa Jusic
> To: 'pen-test@securityfocus.com'
> Sent: Monday, January 05, 2004 7:53 AM
> Subject: SQL Injection question
>
>
> Hi group,
>
> I am conducting a Pen test for a customer, and last few
> days I have been
> struggling with their Web application running on
> Apache/mod_ssl Web Server
> using CGI interface. During the initial assessment I
> found several Web forms
> using POST method, so I began searching for SQL Injection
> Vulnerabilities.
>
> The problem is that forms are well protected, and they
> are only accepting
> numeric values, so I can't insert any malicious
> characters to test for SQL
> vulnerabilities. Then I discovered that the form input
> validation is done
> with JavaScript code on the client side, so I used the
> Paros proxy tool for
> intercepting and modification of submitted form values.
> In this way I
> managed to submit the arbitrary data to the server, and
> the server response
> was "500 Internal Server Error" without any useful
> information about the
> error reason or underlying database structure. I tried
> various combinations
> typical for SQL Injection assessment, but the response
> was always the same.
>
> On several places I have red that this type of error is
> one of the possible
> indicators of SQL Injection problems, so I would like to
> examine this
> problem more carefully.
>
> How can I know if this is really a SQL Injection problem
> or some other
> error? Is there any way I can elicit some more
> information about the
> structure of the database or any other useful information
> I can use for
> further testing?
>
> I don't have much practical experience with SQL Injection
> so I would really
> appreciate any help.
>
> Best regards,
>
> Sasa.
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
>
>
>
>
>
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>
---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT