[prev in list] [next in list] [prev in thread] [next in thread]
List: webappsec
Subject: RE: yet another injection question
From: "David Cameron" <dcameron () itis-now ! com>
Date: 2003-04-16 1:01:29
[Download RAW message or body]
The error is very simple. You are inserting a NULL into a column that does not allow \
a NULL. Whether you filled in a HTML field in some form is barely relevant. This has \
also has nothing to do with sql injection or web app security, except that by \
displaying this error you are providing information about your database.
I'm guessing we are talking ASP here from the fact that you are running SQL7, however \
this also applies to php.
<simplification>
Inserting data in web apps generally happens in the following form. Fill in HTML form \
and submit. The HTML form submits to a page that reads the POSTed data (Request, \
Request.Form in ASP, $_POST php). From this data either a SQL statement is generated \
(INSERT INTO tbl (<columns>) VALUES (<values>)) and executed, or a stored procedure \
is executed with a command object. </simplification>
With that in mind the error is going to come from one of two sources:
1. forgetting to set a value in the INSERT statement (hence defaulting to NULL), ie \
not enough columns in the VALUES (). 2. explicitly setting a value to NULL.
Judging from the question I'd suggest 1. is more likely. That means that either in \
your proc or your generated SQL statement you have missed a column. That is you have \
not correctly mapped the fields from the HTML form to the columns of your database.
This question is more suited to an asp (or php) mailing list, not a web application \
security list. I'd suggest looking into some of the lists that are out there. \
http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=asp+mailing+list
regards
David Cameron
nOw.b2b
dcameron@itis-now.com
> -----Original Message-----
> From: ronen [mailto:ronen@avnet.co.il]
> Sent: Wednesday, 16 April 2003 3:22 AM
> To: 'Jacob Hurley'; 'web-app-sec list'
> Subject: RE: yet another injection question
>
>
> Thanks Jacob.
>
> However, It seems that I didn’t explained myself correctly. Thousand
> apologies.
>
> The request that creates the user has a 'FOO' field already,
> and I made
> sure that this field will have an explicit value.
>
> This was done using the credentials of an existing an privileged user
> (the account was accessed with good old injection techniques).
>
> Thanks again for the help and the quick response.
>
> Ronen.
>
> -----Original Message-----
> From: Jacob Hurley [mailto:jacobh@aos5.com]
> Sent: Tuesday, April 15, 2003 5:02 PM
> To: ronen; web-app-sec list
> Subject: RE: yet another injection question
>
>
>
>
> the problem is with your sql query to insert into the database, it's
> telling you that FOO can't be NULL.. so append to you INSERT / VALUE
> statement a value for FOO
>
> looks like the hard part is over, if it was hard :p
>
>
> Jacob Hurley
>
>
>
>
> -----Original Message-----
> From: ronen [mailto:ronen@avnet.co.il]
> Sent: Tuesday, April 15, 2003 2:49 AM
> To: web-app-sec list
> Subject: yet another injection question
>
>
> Hello all,
>
>
>
> While pen testing a web application, and bypassing the authentication
> using a basic injection, I've tried to add a user to the database
> through a built-in form.
>
>
>
> However, when sending the URL, I received the follows:
>
>
>
> [Microsoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value
> NULL into column 'FOO', table 'BAR'; column does not allow
> nulls. INSERT
> fails.
>
>
>
>
>
> The request URL has a field named 'FOO', and I explicitly inserted a
> value to that field.
>
>
>
> I was logged in with a privileged user (seems to have the highest
> privileges available ).
>
>
>
> Any idea what's the reason for the mentioned ODBC error.
>
>
>
> BTW, the system is a 'Microsoft SQL Server 7.00 - 7.00.1063'
> running on
> Windows NT 5.0 (Build 2195: Service Pack 3).
>
>
>
> Thanking you all in advance.
>
>
>
> Ronen
>
>
>
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic