We are performing a pen test on a simple asp application that uses MS SQL Database. It seems for the authentication they are using dynamic constructed queries but escaping single qoutes. When we use Unicode quotes like %uFFO7,%u02b9 etc we are able to successfully inject SQL injections. Want to understand is it more a kind of configuration issue of IIS server to cannonicalize Unicode characters or the way the validation function to escape single quotes is written is the cause of the problem?
A:
Do you have a sample of the ASP code? As I understand it, the encoding is done by IIS, but that's for transport and wouldn't be seen, really, so their escape function is likely flawed. This is particularly true if they're building dynamic SQL strings rather than using a Stored Procedure (which wouldn't care about the quotes, in any event, but would accept them as literal characters).
David T. Macknet
2010-05-27 13:56:45
Srikanth
2010-05-28 04:55:52
OK, so not SQL Server, but Oracle. Substitute "package" for "stored procedure" and you're at the same place: building dynamic SQL strings from your ASP code is a bit dangerous just because of the exploit that you're pointing out.Can you post the section of the code which processes the querystring input?
David T. Macknet
2010-06-07 15:42:25