[38079] in bugtraq
RE: Paper: SQL Injection Attacks by Example
daemon@ATHENA.MIT.EDU (David Litchfield)
Wed Jan 5 17:23:16 2005
From: "David Litchfield" <davidl@ngssoftware.com>
To: "'Scovetta, Michael V'" <Michael.Scovetta@ca.com>,
<bugtraq@securityfocus.com>
Date: Wed, 5 Jan 2005 21:09:06 -0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <8DC79B1EA961734C852BE2D5ECC069A001A7E220@usilms26.ca.com>
Message-Id: <20050105204627.2D98415F51A@mail.ngssoftware.com>
>David,
>Actually, to nitpick your comment a bit, stored procedures usually have
typed input variables:
>create procedure foo ( a int, b varchar(20) ) as ...
This has no bearing on the issue.
If from the code of the app I perform something like
strSQL = "exec foo(" & request.querystring("a") & "," &
request.querystring("b") & ")"
Conn.execute(strSQL)
then I can either set a in the query string to
?a=1,'foo');exec+master..xp_cmdshell+'dir'--&b=foo
Or alternatively I can set b in the query string to
?a=1&b=foo');exec+master..xmp_cmdshell+'dir'--
Either way I'm using a stored procedure and I can inject into the app.
Cheers,
David
