Re: BLIND SQL Injection Question

Thu, 13 Dec 2007 07:46:58 -0800 

The two scans were done in the same day, only 30 minutes apart from each other. 

The result might be alse positive as 

   foo.cgi?email=valid+sql returns "'valid+sql' is not a valid email".

   foo.cgi?email=invalid+sql returns "'invalid+sql' is not a valid email".

returned the same value, but the page is not accessing sql in that page. On 
pages that do access sql, this method fails because they returned different 
values. I'm just perplexed why would same identical scan return two different 
reports. 

Would it have anything to do with this bug?

req = http_get(item:bogus_vrequest, port:port);
        bres = http_keepalive_send_recv(port:port, data:req);

        if (egrep(string:bres, pattern:"^HTTP/1\..*200 OK"))
        {
               exit(0);
        }

BLIND SQL injection seems to associate with high false positive in other tools 
as well, so I was wondering if it has anything to do with the theory, maybe 
there are flaws in the theory? Or maybe we haven't implemented a functional 
program for it? Thank you.

YanYan


>>> "George A. Theall" <[EMAIL PROTECTED]> 12/13/2007 7:04 AM >>>
> It was done in Sept. :( I just got the feedback from the audit.

And the second scan after October 27th? If so, that probably explains it.

> I've come to realization that the script is prone to false positive,
> but does the theory still work? Thank you.

Given the false-positives it was producing, apparently it doesn't.

The approach used was to send the blind query using valid SQL attached 
to a parameter; provided that resulted in the same headers as sending a 
valid query, the plugin next sends invalid SQL attached to the parameter 
and issues a report if the response is different. If the script returns 
the parameter in some fashion, this could result in a false-positive; eg,

   foo.cgi?email=valid+sql returns "'valid+sql' is not a valid email".

   foo.cgi?email=invalid+sql returns "'invalid+sql' is not a valid email".

If the sysadmin were more cooperative, you could try using the URL(s) 
reported in the first scan and seeing what sort of database queries they 
result in.

George
-- 
[EMAIL PROTECTED]

_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus

Reply via email to