It’s been a while since i wrote my last thread, life goes fast and the time is always less than before. Anyway lately i found an interesting target that push me up to write few lines about this case. Someone i knew in a forum has posted a thread regarding a software (an Epson print cartridges resetter) that use a server validation to work, nothing special but i had some free time and i start working on it.
From a cracker point of view i begin to debug the program looking inside the registration routine to check how the validation works, and if was possible to bypass it.
When i patched the server-check the app seems run fine but i did not have an Epson’s Printer to test it so i thought to take another approach to the problem and collect more infos, like connection type, protocol, server address and so on, in order to obtain the same result without patching the target. I sniffed few packets during the Server/Client communication and in fact was possible to emulate the server reply so i coded a simple tcp server to accomplish the work but during my testing i see some sql error from the server so i though to try some SQL Injection jutzu and in less then a minute a got it!
The coder of this prog has made 2 fatal errors forgetting to sanityze the input parameter in the SQL statement and also in the client application.
The next time you found a similar server check, rather than start from the reversing would be better to try some SQLi first!