From: Tibor Biro (tiborbiro@rogers.com)
Date: Mon Jan 05 2004 - 15:54:26 EST
Hi Sasa,
What you have is probably a blind SQL injection vulnerability. There are
several good documents out there that can help you with clues and SQL
constructs that give you some information.
I found this document good for my purposes:
http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf
You can get anything without actually seeing the results, just follow
the white rabbit. It will help if you script the requests as you will
need a huge amount of requests to extract actual data.
Google can also help you:
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=blind+SQL+injecti
on&meta=
Regards,
Tibor
> -----Original Message-----
> From: Sasa Jusic [mailto:sjusic@pamela.zesoi.fer.hr]
> Sent: January 5, 2004 7:54 AM
> To: 'pen-test@securityfocus.com'
> Subject: SQL Injection question
>
> Hi group,
>
> I am conducting a Pen test for a customer, and last few days I have
been
> struggling with their Web application running on Apache/mod_ssl Web
Server
> using CGI interface. During the initial assessment I found several Web
> forms
> using POST method, so I began searching for SQL Injection
Vulnerabilities.
>
> The problem is that forms are well protected, and they are only
accepting
> numeric values, so I can't insert any malicious characters to test for
SQL
> vulnerabilities. Then I discovered that the form input validation is
done
> with JavaScript code on the client side, so I used the Paros proxy
tool
> for
> intercepting and modification of submitted form values. In this way I
> managed to submit the arbitrary data to the server, and the server
> response
> was "500 Internal Server Error" without any useful information about
the
> error reason or underlying database structure. I tried various
> combinations
> typical for SQL Injection assessment, but the response was always the
> same.
>
> On several places I have red that this type of error is one of the
> possible
> indicators of SQL Injection problems, so I would like to examine this
> problem more carefully.
>
> How can I know if this is really a SQL Injection problem or some other
> error? Is there any way I can elicit some more information about the
> structure of the database or any other useful information I can use
for
> further testing?
>
> I don't have much practical experience with SQL Injection so I would
> really
> appreciate any help.
>
> Best regards,
>
> Sasa.
>
>
------------------------------------------------------------------------
-- > - > ------------------------------------------------------------------------ -- > -- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT