locked
Exploit SQL Injection RRS feed

  • Question

  • User-1392375537 posted

    Hi All,

    Exploit SQL injection thru login screen by passing the below input parameter to password textbox.
            test'; SELECT * FROM Products; --

    It triggers an SP with the parameters passed. But, the problem was with a single quote. I passed a single quote (test') but the trace shows two single quotes(test''). It automatically adds another single quote.

                exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test''; SELECT * FROM Products; --

    If I remove the single quote from the SP parameter (test'') then it works fine. Finding it difficult to remove it from the password textbox.
     
    It should be like this

               exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test'; SELECT * FROM Products; --

    Can anyone help me to get it done.

    Thanks in advance.

    Anand

    Saturday, September 23, 2017 8:17 PM

All replies

  • User753101303 posted

    Hi,

    It feels like you are trying to prove you could do a SQL injection attack while the code is likely written to be immune or at least hardened against that. This is your own code ? The C# side uses a SqlCommand with parameters ?

    Saturday, September 23, 2017 8:47 PM
  • User2103319870 posted

    kka_anand

    I passed a single quote (test') but the trace shows two single quotes(test'')

    You can escape single quotes in sql server by doubling it i.e pass test'' from your textbox

    exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test'''; SELECT * FROM Products; 

    if you dont need the single quotes, then you can use Replace Function to remove it 

    Saturday, September 23, 2017 8:51 PM
  • User-1392375537 posted

    Hi A2H,

    I already tried by doubling it like test''; SELECT * FROM Products;

    It triggers with four single quotes.

    exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test''''; SELECT * FROM Products; 

    Didn't get an idea on how to pass Replace function thru textbox.

    Thanks,

    Anand

    Saturday, September 23, 2017 9:11 PM
  • User753101303 posted

    Could you please tell us if the C# side uses a SqlCommand with parameters?

    My understanding is that you are attempting a SQL injection attack against code written to avoid it.

    Saturday, September 23, 2017 9:54 PM
  • User-1392375537 posted

    Hi PatriceSc,

    Yes, it uses SqlCommand with parameters.  I want to do sql injection without changing the code.

    Code:

    Database sqlDBase = GetSQLDB();
    DbCommand dbCmd = sqlDBase.GetStoredProcCommand("valdtUser_SP");
    sqlDBase.AddInParameter(dbCmd, "@usrName", DbType.String, userAuth.UName.Trim());
    sqlDBase.AddInParameter(dbCmd, "@usrPwd", DbType.String, userAuth.PWD.Trim());
    DataSet dataSet = sqlDBase.ExecuteDataSet(dbCmd);

    Thanks,

    Anand

    Monday, September 25, 2017 9:13 AM
  • User753101303 posted

    Using parameters is precisely a way to counter SQL injection attacks. It ensures that the string value is properly quoted and escaped. So I don't think you can (unless maybe if  the SP uses dynamic SQL).

    Monday, September 25, 2017 10:55 AM