SQL Injection - SQL query comments

From: suntzu123@gmail.com
Date: Fri Dec 16 2005 - 21:23:25 EST

Next message: Marcos Marrero: "RE: database scanning tools"
Previous message: Matthias.Vallentin: "Re: Cracking WEP and WPA keys"
Next in thread: Thor (Hammer of God): "Re: SQL Injection - SQL query comments"
Reply: Thor (Hammer of God): "Re: SQL Injection - SQL query comments"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) Hi list,

recently we came across a client engagement related to client's web site. During the assessment, it turned out that a PHP search page was possibly

vulnerable to an sql injection, given that if we feed the search field of the page with the following classic input "hi' or 1=1" (without quotes), it returns the

SQL query of the underlying PHP page (the user input goes between the %% pair in the LIKE clause):

SELECT ID, NAME, CLUB_CATEGORY_ID, ADDRESS, DRINK_PRICE, AREA_ID, PHONES, ARTISTS FROM CLUB WHERE ACTIVE = 1 AND NAME

LIKE '%hi' or 1=1%' AND ID >0 ORDER BY NAME

The issue is that, when I tried to feed with a statement such as "' UNION SELECT username FROM USERS WHERE username like '%' --" (without the

double quotes, and focusing to get a list of user names commenting out the rest of the query), we ended up in the following error:

Error during SQL execution
SELECT ID, NAME, CLUB_CATEGORY_ID, ADDRESS, DRINK_PRICE, AREA_ID, PHONES, ARTISTS FROM CLUB WHERE ACTIVE = 1 AND NAME

LIKE '%' UNION SELECT username FROM USERS WHERE username like '%' --

Given that the assumption that MySQL is running behind this PHP page, we failed to get the usernames from the MySQL system table "users"; the

obvious result from this output is that the comments did not work as intended.

Have you ever faced such a situation ? Reading the documentation of all major databases (MS SQL, Oracle, MySQL, Informix, Ingres, Postgres, etc) it

turns out that all of these databases should implement the univeral "--" commenting mechanism in their SQL queries.

What am I missing here ??

Thanks in advance for your help,

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Next message: Marcos Marrero: "RE: database scanning tools"
Previous message: Matthias.Vallentin: "Re: Cracking WEP and WPA keys"
Next in thread: Thor (Hammer of God): "Re: SQL Injection - SQL query comments"
Reply: Thor (Hammer of God): "Re: SQL Injection - SQL query comments"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:16 EDT