|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 80
Members: 0
Total: 80
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Unhandled exception |
|
Posted: Thu Apr 03, 2008 8:14 pm |
|
|
julioisaias |
Valuable expert |
|
|
Joined: Jan 25, 2008 |
Posts: 50 |
|
|
|
|
|
|
|
Is it exploitable?
------------------
Code: |
Server Error in '/' Application.
Line 1: Incorrect syntax near '0001317420'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Runtime.InteropServices.COMException: Line 1: Incorrect syntax near '0001317420'.
Source Error:
Line 44:
Line 45:
Line 46: rs = connection.execute( "update accessweb set usrs='" & Trim(Mid(usrs, 1, 20)) & "' where access='" & session("access") & "'")
Line 47: usrs = padr(usrs, 16)
Line 48: pass = Trim(pass)
Source File: E:\www\WEB\autentication.aspx Line: 46
Stack Trace:
[COMException (0x80040e14): Line 1: Incorrect syntax near '0001317420'.]
Microsoft.VisualBasic.CompilerServices.LateBinding.LateGet(Object o, Type objType, String name, Object[] args, String[] paramnames, Boolean[] CopyBack) +965
Microsoft.VisualBasic.CompilerServices.NewLateBinding.LateGet(Object Instance, Type Type, String MemberName, Object[] Arguments, String[] ArgumentNames, Type[] TypeArguments, Boolean[] CopyBack) +365980
ASP.autentication_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer) in E:\www\WEB\autentication.aspx:46
System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +2113547
System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +24
System.Web.UI.Page.Render(HtmlTextWriter writer) +26
System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +25
System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +121
System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +22
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1896
Version Information: Microsoft .NET Framework Version:2.0.50727.832; ASP.NET Version:2.0.50727.832
|
well...
I typed ' in username and it show these error but Google did not help me much.
My question... Is it exploitable?
Best Regards. |
|
_________________ I study enough to make the rest a result. |
|
|
|
|
|
|
|
Posted: Fri Apr 04, 2008 10:25 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
It SEEMS to be exploitable, but there can be lot's of mitigating factors. You must follow traditional sql injection exploiting scenario - get syntax right and then try to pull out some information. And as you have useful visual error feedback, then it should not be very difficult. |
|
|
|
|
Posted: Sun Apr 27, 2008 5:03 am |
|
|
julioisaias |
Valuable expert |
|
|
Joined: Jan 25, 2008 |
Posts: 50 |
|
|
|
|
|
|
|
Thanks Waraxe!!
You have reason. It seems to me that it is a classic injection.
Thanks waraxe.
Best Regards. |
|
_________________ I study enough to make the rest a result. |
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|