Re: sql injection: url or form based?

From: AdamT (adwulf@gmail.com)
Date: Fri Feb 10 2006 - 11:39:31 EST

• Next message: Bernhard Finkbeiner: "Re: sql injection: url or form based?"
• Previous message: Ben Koren: "Re: Deep Freeze"
• In reply to: johnny Mnemonic: "sql injection: url or form based?"
• Next in thread: LAROUCHE Francois: "RE: sql injection: url or form based?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 2/10/06, johnny Mnemonic <security4thefainthearted@hotmail.com> wrote:
> I see many references to manipulation of SQL backend databases through both
> URL based and Forms based SQL injection but I'm wondering what are the
> essentials differences between both methods and when to use one over the
> other.
> Thanks.
>
If I understand what you're asking correctly - then the difference is
based on what the web page is expecting the data to be.

If your ASP/PHP/ColdFusion/whatever script is expecting data to arrive
as part of a HTTP GET request, then you'd use a URL-based attack, as
your browser would essentially be requesting a web page with something
like this:

GET /scripts/insecure.php?variable=some_invalid_data /HTTP/1.0

and if the script is expecting something sent as a POST request, then
you'd want a 'form' based attack.

This is a bit misleading, calling it a form-based attack, as HTML
forms can use both GET and POST methods. Have a look in the HTML
source of one of the forms, and you should see something like:

action="insecure.php" method=POST

One thing you can try for POST data is to take a copy of the form,
save it locally and add a BASE HREF="http://path/to/original/file" in
the HTML. Doing the BASE HREF trick also allows you to remove any
kind of clientside bounds checking put in with javascript or HTML.
You might have to spoof the referer header for some sites when you do
this, or at the very least, remove that header.

If you're going to be doing lots of SQL injection attacks via web
pages, you might like to take a look at Fiddler -
http://www.fiddlertool.com/fiddler/ - which I find is quite useful.

--
AdamT
'Thank-you for not requesting read receipts'
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Bernhard Finkbeiner: "Re: sql injection: url or form based?"
• Previous message: Ben Koren: "Re: Deep Freeze"
• In reply to: johnny Mnemonic: "sql injection: url or form based?"
• Next in thread: LAROUCHE Francois: "RE: sql injection: url or form based?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:29 EDT