OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Checking for SQL Injection

From: kevin horvath (kevin.horvathgmail.com)
Date: Wed Sep 03 2008 - 15:17:09 CDT

a couple of points here. It could be using a time based injection
(waitfor delay). Its possible that its injecting this into one of the
vid parameters but you would need to decode/decrypt these parameters
to see (or look at the tool and see what and how its doing its
injecting. Its not doing it on the basic authorization so it must be
the vid as the injection point. But to verify this you need to know
what the delay is and verify that it is working by doing these
mulitple times (to take into account any delay over the WAN). So you
should do this test manually to see if this is the case. It could also
be comparing responses for differences but you need to verify this
manually and try your own injection and compare to see if there is any
difference (note burp suite is an excellent tool for this).

Kevin

On Mon, Sep 1, 2008 at 4:35 AM, GT GERONIMO, Frederick Joseph B.
<fbgeronimoglobetel.com.ph> wrote:
> Hello,
>
> I ran a tool to verify if a website had SQL Injection. The tool detected
> Blind SQL Injection vulnerability. I have pasted the request and
> response below.
>
> Would you say that the tool's evaluation is accurate?
>
> Is there anything that the web application can be doing to make this a
> false-positive?
>
> Thanks.
>
>
> HTTP REQUEST
> ============
>
> GET /prototype03/vulnerable.php?vid=zJrt&act=viewed&page=0.01 HTTP/1.0
> Accept: */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR
> 1.1.4322)
> Host: www.victim.com
> Authorization: Basic dTI0Y29tcGg6PCEzIzw3PjlBQnVu
> Cookie:
> PHPSESSID=b4499547c0c4f399ba649181d5e67f5c;vid11=6512bd43d9caa6e02c990b0
> a82652dca;vid2=c81e728d9d4c2f636f067f89cc14862c;vid4=a87ff679a2f3e71d918
> 1a67b7542122c;vid8=c9f0f895fb98ab9159f51fd0297e236d;vid9=45c48cce2e2d7fb
> dea1afc51c7c6ad26;vid7=8f14e45fceea167a5a36dedd4bea2543
> Connection: Close
> Pragma: no-cache
>
>
> HTTP RESPONSE
> =============
>
> HTTP/1.1 200 OK
> Date: Fri, 29 Aug 2008 10:00:08 GMT
> Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b
> mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
> PHP/5.2.6
> X-Powered-By: PHP/5.2.6
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma: no-cache
> Connection: close
> Content-Type: text/html
>
> This e-mail message (including attachments, if any) is intended for the use of the individual or the entity to whom it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and delete this E-mail message immediately.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------