 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 219
 Members: 0
 Total: 219
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
ASPX Sql Injection |
|
 Posted: Wed Oct 12, 2011 9:22 am |
 |
|
| latinhack |
| Beginner |
 |
|
| Joined: Oct 12, 2011 |
| Posts: 4 |
|
|
|
 |
|
 |
|
Hello,
I'am trying to learn more about SQL INJECTION by a ASPX (ASP NET) websites.
I already know how to hack/test a PHP site with Sql-Injection.
I tried to do some sql-injection by this URL:
http://www.example.com/app/article.aspx?id=1
When I set ?id=1' The website display a error like this :
| Code: | Server Error in '/' Application.
Input string was not in a correct format.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.FormatException: Input string was not in a correct format.
Source Error:
The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:
1. Add a "Debug=true" directive at the top of the file that generated the error. Example:
<%@ Page Language="C#" Debug="true" %>
or:
2) Add the following section to the configuration file of your application:
<configuration>
<system.web>
<compilation debug="true"/>
</system.web>
</configuration>
Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.
Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.
Stack Trace:
[FormatException: Input string was not in a correct format.]
Microsoft.VisualBasic.CompilerServices.DoubleType.Parse(String Value, NumberFormatInfo NumberFormat) +195
Microsoft.VisualBasic.CompilerServices.IntegerType.FromString(String Value) +97
[InvalidCastException: Cast from string "1'" to type 'Integer' is not valid.]
Microsoft.VisualBasic.CompilerServices.IntegerType.FromString(String Value) +212
ASP.article_aspx.__Render__control1(HtmlTextWriter __output, Control parameterContainer) +78
System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +27
System.Web.UI.Control.Render(HtmlTextWriter writer) +7
System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +243
System.Web.UI.Page.ProcessRequestMain() +1926
Version Information: Microsoft .NET Framework Version:1.1.4322.2407; ASP.NET Version:1.1.4322.2407 |
After I do that, I set this in the URL ?id=1 order by 1000-- But the website keep display me the same error as above.
Can someone explain to me if this website is vulnerable? and how do I process a sql-injection to this website (to a aspx website).
Thank you ! 8) |
|
|
|
|
|
|
|
|
| Posted: Wed Oct 12, 2011 5:15 pm |
|
|
| latinhack |
| Beginner |
|
|
| Joined: Oct 12, 2011 |
| Posts: 4 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Thu Oct 13, 2011 8:42 pm |
|
|
| mainhood |
| Regular user |
 |
|
| Joined: Sep 02, 2011 |
| Posts: 21 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Sat Oct 15, 2011 9:45 am |
|
|
| latinhack |
| Beginner |
|
|
| Joined: Oct 12, 2011 |
| Posts: 4 |
|
|
|
|
|
|
|
No men! Ill let you know.  |
|
|
|
|
| Posted: Sat Oct 15, 2011 11:19 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| There is no SQL Injection here. Script is trying to convert your attack string to integer and fails. Look for other places - for example search functionality. |
|
|
|
|
| Posted: Sat Oct 15, 2011 11:21 am |
|
|
| latinhack |
| Beginner |
|
|
| Joined: Oct 12, 2011 |
| Posts: 4 |
|
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
