| pabloski |
| Beginner |
 |
|
| Joined: Sep 14, 2007 |
| Posts: 3 |
|
|
|
 |
|
 |
|
Hi to all, I'm new to this forum and I'm new to SQL Injection, too.
I'm studying SQL Injection and I have selected as target the famous ( mmm not so famous after all  ) blogging platform dBlog ( http://www.dblog.it if someone is interested )
Ok, I was thinking to bypass the login form, I have studied some papers and cheat sheets and it seems feasible. The blog platform in question is written in VbScript and uses Jet database ( .mdb ) as storage.
That said, I'm studying this piece of code
| Code: |
FUserID = Request.Form("UserID")
FPassword = Request.Form("Password")
If FUserID <> "" AND FPassword <> "" Then
SQLAutori = " SELECT [Nick], [UserID], [Password], [Admin] FROM [Autori] WHERE [UserID] = '"& ControlloSQLInjection(FUserID) &"' "
Set RSAutori = Server.CreateObject("ADODB.Recordset")
RSAutori.Open SQLAutori, Conn, 1, 3
If NOT RSAutori.EOF Then
RSAutori.MoveFirst
If RSAutori("Password") = getSHAPassword(FPassword) Then
Session("BLOGNick") = RSAutori("Nick")
Session.TimeOut = 60
If RSAutori("Admin") = True Then
Session("BLOGAdmin") = True
Else
Session("BLOGAdmin") = False
End If
|
the login form accepts two fields, Password and UserID, then the script verifies they are not empty and execute a query against UserID.....finally it uses the recordset obtained to verify if SHA1(Password) == stored password hash
the function ControlloSQLInjection is an anti-SQL injection measure....it replaces the following characters
[ --> [[ & Chr(0)
] --> []]
[[ & Chr(0) --> [[]
' --> ''
% --> [%]
_ --> [_]
# --> [#]
as you can see the problem is the substitution ' -- ''
I have red something about UTF7 and encodings used to bypass this kind of filters, but frankly I haven't understood the whole point at all 
so how can I insert a SQL statement if I can't use ' to pass ascii strings to the script? |
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 490
Members: 0
Total: 490
