From: 3 shool (3shool@gmail.com)
Date: Sun Mar 05 2006 - 14:46:53 EST
Hi,
We are doing Penetration Testing, inclusive of Web Application
Assessment, for our client's internal application. We have identified
the OS as Windows 2003 server and Web server as IIS 6.0. The sever has
ports number 80 and 443 open.
Now when I visit the site I get a login form. I insert a simple sql
injection statement ' OR 1=1-- in username or password field and get
the result below from the server:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC Visual FoxPro Driver]Function name is missing ).
/home.asp, line 34
Does this mean that the backend database server is Visual FoxPro? I
was hoping for an MSSQL server listeing at the backend.
I also did a simple XSS test on the username field
<script>alert('vulnerable');</script>
and got following:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Visual FoxPro Driver]Command contains unrecognized
phrase/keyword.
/home.asp, line 34
But nothing really popped up. So I don't think it is vulnerable to
XSS. Maybe the error came due to the ' in the statement.
Looking forward to some inputs from SQL Injection champions and anyone
who has some tricks in mind that I can play on this server.
Thanks.
------------------------------------------------------------------------------
This List Sponsored by: Lancope
"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."
http://www.lancope.com/resource/
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:36 EDT