Hilarious SQL injection oops

[VaeVictis]

well i think its funny at least

so i was doing a lot of common attacks over the last weekend such as sql injection, and so when i took my laptop to the security bootcamp im helping lecture on to do demonstrations of simple attacks and stuff like that...

get on their network and they ahve a pretty cool set up, open wireless for guests you get in and they have a captive portal that you enter your user name and then an authentication ticket given by an admin that will add your mac address to their white list... (even though technically its still an open network without encryption and would be perfectly legal by wire tapping laws to sniff traffic on)

get on the captive portal, click the text box to enter my name, and my browsers little text box auto fill in thing dropped down with ' OR 1=1; --

lol i have a screenshot on my other computer, ill post it in the morning, keep forgetting to post it just thought id share it... i dont even ahve that epic firefox plugin that does the sql injection auditing, my browser just decided it wanted to auto fill that into the text box, i didnt try ofc cause id hate to get kicked off campus so soon after getting there, but from my browser doing that i can already guess that some sort of injection attack would be possible, maybe not such a simple one but some sort definitely... maybe using HAVING and stuff like that to do some enumeration if they dont have proper error handling to get a list of already archived mac addresses i could spoof

[reaper]

You don't know it's vulnerable to SQL injection.  You would receive an error message or the result you wanted.  If the response is a friendly result, then you can try blind SQL injection (for example HTTP 500 response ouputs x.html), searching for true or false; however a Captcha is certainly one page that would look like SQL injection was possible, but you'd need to take a closer look.  I'm not sure what form you're looking at, but often times they test true for blind SQL injection, simply because the response is different, although they are not actually vulnerable.  Maybe they could improve the tests, like AND 1=1 , AND 1=2, and try X times over M.

like AND 1=1 or AND 1=2 through the POST or GET variables, or attached to the end's of variables, will return a different result with a Captcha.

It'll be pretty funny once they fix the control of execution problems and make nice secure architectures, this is the stuff that will still be around.  It wouldn't even work enforcing things like taint and real escape strings, because there will always be errors in application logic.

[VaeVictis]

here is the pic

also, if you didnt know already reaper, using the HAVING command with different conditions, some conditions being quite long, you can do some cool enumeration with improper error handling the funny thing with a lot of sql injection vulnerable sites is that they will have an error field used generally just for improper keys entered such as the captive portal i went to if i didnt enter a valid ticket from the admin, or your common poorly configured input where it will say invalid user name or password.... you can exploit that error handling if they arent filtering it, and use the HAVING command to find out more about what tables are in the sql database and then go from there to get the improper error handling to give you a list of mac addresses you would be able to spoof to get onto the network

the reason its funny regardless of whether the site is vulnerable to sql injection, is because i showed up on campus to help teach a computer security boot camp and the first thing that happens when i kick my laptop up is my browser wants to auto fill a basic sql OR always true statement lol