Last post Sep 25, 2017 10:55 AM by PatriceSc
Sep 23, 2017 08:17 PM|kka_anand|LINK
Exploit SQL injection thru login screen by passing the below input parameter to password textbox.
test'; SELECT * FROM Products; --
It triggers an SP with the parameters passed. But, the problem was with a single quote. I passed a single quote (test') but the trace shows two single quotes(test''). It automatically adds another single quote.
exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test''; SELECT * FROM Products; --
If I remove the single quote from the SP parameter (test'') then it works fine. Finding it difficult to remove it from the password textbox.
It should be like this
exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test'; SELECT * FROM Products; --
Can anyone help me to get it done.
Thanks in advance.
Sep 23, 2017 08:47 PM|PatriceSc|LINK
It feels like you are trying to prove you could do a SQL injection attack while the code is likely written to be immune or at least hardened against that. This is your own code ? The C# side uses a SqlCommand with parameters ?
Sep 23, 2017 08:51 PM|A2H|LINK
I passed a single quote (test') but the trace shows two single quotes(test'')
You can escape single quotes in sql server by doubling it i.e pass test'' from your textbox
exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test'''; SELECT * FROM Products;
if you dont need the single quotes, then you can use Replace Function to remove it
Sep 23, 2017 09:11 PM|kka_anand|LINK
I already tried by doubling it like test''; SELECT * FROM Products;
It triggers with four single quotes.
exec valdtUser_SP @usrName=N'testuser', @usrPwd=N'test''''; SELECT * FROM Products;
Didn't get an idea on how to pass Replace function thru textbox.
Sep 23, 2017 09:54 PM|PatriceSc|LINK
Could you please tell us if the C# side uses a SqlCommand with parameters?
My understanding is that you are attempting a SQL injection attack against code written to avoid it.
Sep 25, 2017 09:13 AM|kka_anand|LINK
Yes, it uses SqlCommand with parameters. I want to do sql injection without changing the code.
Database sqlDBase = GetSQLDB();
DbCommand dbCmd = sqlDBase.GetStoredProcCommand("valdtUser_SP");
sqlDBase.AddInParameter(dbCmd, "@usrName", DbType.String, userAuth.UName.Trim());
sqlDBase.AddInParameter(dbCmd, "@usrPwd", DbType.String, userAuth.PWD.Trim());
DataSet dataSet = sqlDBase.ExecuteDataSet(dbCmd);
Sep 25, 2017 10:55 AM|PatriceSc|LINK
Using parameters is precisely a way to counter SQL injection attacks. It ensures that the string value is properly quoted and escaped. So I don't think you can (unless maybe if the SP uses dynamic SQL).