3

I am learning SQL injection on a vulnerable web app. I scanned it with w3af. It showed many vulnerabilities. One of them is:

SQL injection in a Microsoft SQL database was found at: "http://www.example.com/Login.aspx?CurrentPage=Login", using HTTP method POST. The sent post-data was: "...ctl00$cphMain$txtUserName=d'z"0...".

How do I exploit this? What is the URL which will actually exploit is and give me access? Can anybody help me in this?

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
narayan
  • 383
  • 1
  • 4
  • 11
  • 2
    @Rory Alsop In mathematics you need a proof to expand the field, and security is no different, there must be rigor. In security people make grandiose claims, like that HP printers can catch fire without actually showing a burning pit of printer. Obtaining severity metrics from the US-CERT/DHS for my exploit code further affirms this belief of mine. In the US we have the first amendment and writing exploit code is a protected right. I am free to my own opinions, and you are free to down vote if you don't agree. – rook Dec 26 '11 at 03:11
  • @Rory Alsop♦ on a side note, I think that by in large there are GREAT answers on this stack exchange, but not for questions like this. Very few people have this kind of ability and understanding of software, which I find really sad. – rook Dec 26 '11 at 03:23
  • 1
    @Rook - I agree. There are very few folks on here that can do this, and you and Karrax seem to know what you are talking about. Your answers tend to be excellent - the only challenge I have is that when a question strays outside this area you tend to get very argumentative, which is a pity. I wouldn't try and write an answer on exploit code, as it's been ages since I did that sort of thing or taught it, but I accept that some questions require that side of things. Us mods just try to keep the language clean and stop arguments and disparaging comments. – Rory Alsop Dec 26 '11 at 16:02

3 Answers3

5

Usually when exploiting logins you want to inject something that prevents the password field from ever validating. This can usually be accomplished by putting syntax similar to the following as your password: 

myphonypassword' OR 1=1;--

This will claim that you are the admin user, terminate the string in the actual query and make the query don't care if you wrote a legal password or not as the OR 1=1 makes the query always true.

There is many differnet variations you would have probably have to try to make this exploit work (especially if it is a blind SQL exploit). You can see many more examples in this SQL Injection cheat sheet specially for login bypassing.

In your specific example you probably have to edit the field called txtPassWord, however it is unclear by the little details you have provided.

Edit: since this is a post only parameter you cannot attack via URL only. You can intercept the request with a proxy and modifiy the post parameters that way or craft a new request with Curl like in the other answers suggestion

Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
3

You need to make a POST to the URL http://www.example.com/Login.aspx?CurrentPage=Login. The exploit is in the data submitted in the body of the POST, something like ...ctl00$cphMain$txtUserName=d'z"0... -- and the ' makes it look like txtUserName is the field you want to attack. The standard way to separate fields is with a & character, but the fragment that you posted makes it look like $ is being used as a separator.

If you use curl from the command line, you could run a command like (note the \ escape of the embedded ' to avoid having the shell eat it):

curl -d 'ctl00$cphMain$txtUserName=d\'z"0' http://www.example.com/Login.aspx?CurrentPage=Login

You will need to adjust the value for txtUserName to fit the particular application you're attacking.

bstpierre
  • 4,868
  • 1
  • 21
  • 34
3

Generally with a login page the first thing you want to do is trace the header out to find the actual login form fields, i.e the post form variables. Then you want see if you can send data to the server using GET rather than POST. So for example if a form as 4 variables, $username, $password and $x then you set the request to:

/Login.aspx?CurrentPage=Login&username=name&password=pass&x=1

to see if you get the wrong user/password response from the server. If so then it is much easier to find an injection vector using GET than it is using the POST method.

If that is allowed, then you could start trying to trigger database responses like

/Login.aspx?CurrentPage=Login&username=name'[enter your SQL statement here]&password=pass&x=1

If the POST method is the only method allowed then you will not be able to use the 'URL' to submit the data, but rather following on from what bstpierre stated, you will need to make up a form submitter using one of the browser addons like Live HTTP Headers for Firefox or rebuild the form on your own server to submit to the site you are testing.

Taipo
  • 189
  • 4