Web Application Disassembly with ODBC Error Messages
By
Juleanus Spetember
CTO Hellringer Enterprises
Introduction
This document describes how to subvert the security of a Microsoft Internet Information Web Server that feeds into a SQL database. The document assumes that the web application uses Active Server Pages technology with Active Data Objects (ADO), though the same techniques can be used with other technologies. The techniques discussed here can be used to disassemble the SQL database's structure, by-pass login pages, and retrieve and modify data. This does assume that attackers can run arbitrary SQL queries, which unfortunately is all too common due to a lack of understanding, or even a complete ignorance of this problem and subsequent coding techniques in an ASP page. For example - consider the following ASP code - from a login page:
<%@ LANGUAGE="VBSCRIPT" %>
<%
Dim oCONv, oRSu
Set oCONv = Server.CreateObject("ADODB.Connection")
oCONv.Open "DRIVER={SQL......
Join Now or Login to view the rest of this paper.
Approximate Word Count: 1897
Approximate Pages: 8 (260 words per double-spaced page) |