Exploit SQL injection thru login screen by passing the below input parameter to password textbox.
test'; SELECT * FROM Products; --
It triggers an SP with the parameters passed. But, the problem was with a single quote. I passed a single quote (test') but the trace shows two single quotes(test''). It automatically adds another single quote.
exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test''; SELECT * FROM Products; --
If I remove the single quote from the SP parameter (test'') then it works fine. Finding it difficult to remove it from the password textbox.
It should be like this
exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test'; SELECT * FROM Products; --
It feels like you are trying to prove you could do a SQL injection attack while the code is likely written to be immune or at least hardened against that. This is your own code ? The C# side uses a SqlCommand with parameters ?
Using parameters is precisely a way to counter SQL injection attacks. It ensures that the string value is properly quoted and escaped. So I don't think you can (unless maybe if the SP uses dynamic SQL).
Member
2 Points
80 Posts
Exploit SQL Injection
Sep 23, 2017 08:17 PM|kka_anand|LINK
Hi All,
Exploit SQL injection thru login screen by passing the below input parameter to password textbox.
test'; SELECT * FROM Products; --
It triggers an SP with the parameters passed. But, the problem was with a single quote. I passed a single quote (test') but the trace shows two single quotes(test''). It automatically adds another single quote.
exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test''; SELECT * FROM Products; --
If I remove the single quote from the SP parameter (test'') then it works fine. Finding it difficult to remove it from the password textbox.
It should be like this
exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test'; SELECT * FROM Products; --
Can anyone help me to get it done.
Thanks in advance.
Anand
All-Star
44940 Points
16042 Posts
Re: Exploit SQL Injection
Sep 23, 2017 08:47 PM|PatriceSc|LINK
Hi,
It feels like you are trying to prove you could do a SQL injection attack while the code is likely written to be immune or at least hardened against that. This is your own code ? The C# side uses a SqlCommand with parameters ?
All-Star
50731 Points
9873 Posts
Re: Exploit SQL Injection
Sep 23, 2017 08:51 PM|A2H|LINK
You can escape single quotes in sql server by doubling it i.e pass test'' from your textbox
if you dont need the single quotes, then you can use Replace Function to remove it
Aje
My Blog | Dotnet Funda
Member
2 Points
80 Posts
Re: Exploit SQL Injection
Sep 23, 2017 09:11 PM|kka_anand|LINK
Hi A2H,
I already tried by doubling it like test''; SELECT * FROM Products;
It triggers with four single quotes.
Didn't get an idea on how to pass Replace function thru textbox.
Thanks,
Anand
All-Star
44940 Points
16042 Posts
Re: Exploit SQL Injection
Sep 23, 2017 09:54 PM|PatriceSc|LINK
Could you please tell us if the C# side uses a SqlCommand with parameters?
My understanding is that you are attempting a SQL injection attack against code written to avoid it.
Member
2 Points
80 Posts
Re: Exploit SQL Injection
Sep 25, 2017 09:13 AM|kka_anand|LINK
Hi PatriceSc,
Yes, it uses SqlCommand with parameters. I want to do sql injection without changing the code.
Code:
Database sqlDBase = GetSQLDB();
DbCommand dbCmd = sqlDBase.GetStoredProcCommand("valdtUser_SP");
sqlDBase.AddInParameter(dbCmd, "@usrName", DbType.String, userAuth.UName.Trim());
sqlDBase.AddInParameter(dbCmd, "@usrPwd", DbType.String, userAuth.PWD.Trim());
DataSet dataSet = sqlDBase.ExecuteDataSet(dbCmd);
Thanks,
Anand
All-Star
44940 Points
16042 Posts
Re: Exploit SQL Injection
Sep 25, 2017 10:55 AM|PatriceSc|LINK
Using parameters is precisely a way to counter SQL injection attacks. It ensures that the string value is properly quoted and escaped. So I don't think you can (unless maybe if the SP uses dynamic SQL).