Adding new members
Given that we know the partial structure of the members table, it seems like a plausible approach to attempt adding a new record to that table: if this works, we’ll simply be able to login directly with our newly-inserted credentials.
This, not surprisingly, takes a bit more SQL, and we’ve wrapped it over several lines for ease of presentation, but our part is still one contiguous string:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES ([email protected]','hello','steve','Steve Friedl');--';
Even if we have actually gotten our field and table names right, several things could get in our way of a successful attack:
- We might not have enough room in the web form to enter this much text directly (though this can be worked around via scripting, it’s much less convenient).
- The web application user might not have INSERT permission on the members table.
- There are undoubtedly other fields in the members table, and some may require initial values, causing the INSERT to fail.
- Even if we manage to insert a new record, the application itself might not behave well due to the auto-inserted NULL fields that we didn’t provide values for.
- A valid “member” might require not only a record in the members table, but associated information in other tables (say, “accessrights”), so adding to one table alone might not be sufficient.
In the case at hand, we hit a roadblock on either #4 or #5 – we can’t really be sure — because when going to the main login page and entering in the above username + password, a server error was returned. This suggests that fields we did not populate were vital, but nevertheless not handled properly.
A possible approach here is attempting to guess the other fields, but this promises to be a long and laborious process: though we may be able to guess other “obvious” fields, it’s very hard to imagine the bigger-picture organization of this application.
We ended up going down a different road.