The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

embedded directly into the query. When the user attempts to change the pass-

word, the application returns the following message, which reveals the flaw:

Unclosed quotation mark before the character string ‘foo

To exploit this vulnerability, an attacker can simply register a username con-

taining his crafted input, and then attempt to change his password. For exam-

ple, if the following username is registered:

‘ or 1 in (select password from users where username=’admin’)--

then the registration step itself will be handled securely. When the attacker

tries to change his password, his injected query will be executed, resulting in

the following message, which discloses the admin user’s password:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting

the varchar value ‘fme69’ to a column of data type int.

The attacker has successfully bypassed the input validation that was

designed to block SQL injection attacks, and now has a means of executing

arbitrary queries within the database and retrieving the results.

Download 5,76 Mb.

Do'stlaringiz bilan baham: