Daniele,
On Mon, Nov 17, 2008 at 7:42 AM, Daniele Bellucci
<[EMAIL PROTECTED]> wrote:
> For now, since you only need to check if a webappz is
> blindSQLInjection vulnerable
> query strings like: ?id=1+0 is enough on numerical values (as well as:
> ?id=CONCAT('str','ing') on strings)
I started to code a w3af extension to detect blind sql injections this
way, and I realized that CONCAT only works on mysql (doh! , that
happens when you read emails too fast, and don't pay attention to the
details). So the implementation would need to have the specific
"CONCAT" for every database, which will increase the amount of
requests per parameter a bit (not a big problem).
The "best case" for this technique is a query string, where you have
something like:
http://some.tld/?id=1
And you test:
http://some.tld/?id=1+1-1
And if they are equal you have found something. Now for the "worse
case": a search form. Think about a tiny search engine, where you
input your search string into an HTML form. The first bad thing is
that you don't have "the original string" in order to split it, and
use the CONCAT trick. Why is this bad? Because you'll have to guess
one! Example:
Search: spam.eggs --> No results
Search: CONCAT('spam.','eggs') --> No results
BUT the problem is that you don't really know if the second "No
results" is because of a successful SQL injection where the concat was
evaluated, or just because the data was validated and there is no
"CONCAT(\'spam.\',\'eggs\')" in the search table. Are my ideas ok? Did
I just found the only case where the technique will fail and I should
code it disregarding this false positive generation issue? What do you
guys think?
Cheers,
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
