SQLi susecptible?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

SQLi susecptible?

Post by alex.barylski »

I have the following SQL I just stumbled upon and have checked all all previous code to ensure nothing was being changed...these $_POST globals are not validated and appear to be used inline with the SQL statement, injection waiting to occur or am I missing something?

[sql] $ins_qry_def="INSERT INTO PORTAL_USER (pu_id_admin, pu_id_sha1, pum_id, pu_licenses, spl_id, sp_id, wtc_id, usr, eml, pwd, pu_salute, pu_fname, pu_mname, pu_lname, trusted, active, userid, datemod)VALUES (NULL, NULL, "."'".($_POST['memtype']==2 ? "3" : $_POST['memtype'])."'".", "."'".($_POST['memtype']== 3 ? "5" : $_POST['memtype']==2 ? "1" : "0")."'".", '0', '0', '0', "."'".mssql_escape($_POST['username'])."'".", "."'".mssql_escape($_POST['emaiaddr'])."'".", "."'".$_POST['password']."'".", NULL, "."'".mssql_escape($_POST['firsname'])."'".", NULL, "."'".mssql_escape($_POST['lastname'])."'".", '0', '1', '0', GETDATE())"; [/sql]

Is this code vulnerable to SQLi or not because the injected insecure variables are inside 'VALUES'?

What POST variable would be best used to carry out a SELECT to find all users in database or similar?

Seeing as I have never actually carried out a SQL exploit, would someone demonstrate using the code above as a starting point?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: SQLi susecptible?

Post by alex.barylski »

By the way this is a MSSQL database not sure if that changes anything?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: SQLi susecptible?

Post by VladSun »

I think this line is vulnerable to SQL injections:

Code: Select all

"."'".($_POST['memtype']==2 ? "3" : $_POST['memtype'])."'".",
You may use a subselect query to insert some secret data from the DB into a record which you can view later.
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: SQLi susecptible?

Post by alex.barylski »

You may use a subselect query to insert some secret data from the DB into a record which you can view later.
Can you show me how I might go about doing that? Why would I insert data? The argument has to be strong enough that it warrnats a re-design of an entire application -- it's beyond refactoring. :P

I figure if anything will get them to agree it'll be security issues which can expose their data.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: SQLi susecptible?

Post by VladSun »

Just set the value of $_POST['memtype'] to a string which will construct a proper query for the attacked insert and add a "comment" char sequence at its end in order to remove the rest of the original query.

PS: I'm not sure we are permitted to discuss such things in this forum :)
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: SQLi susecptible?

Post by alex.barylski »

I have seen worse. :)

Beside I don't think I have ever said or insinuated anything in the past to suggest I was interested in hacking. I joined a project really late and it's in serious need of repair.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SQLi susecptible?

Post by kaisellgren »

Yes it is vulnerable to SQL Injection attacks. I do not understand, you have mssql_escape() in the end of the query, but why did you not escape the "memtype" values? MySQL, for instance, allows an insert of "INSERT INTO ... SELECT", so an attacker can just close the parenthesis and start a SELECT clause and use something like SELECT INTO OUTFILE and save all your database info into a publicly readable file. That's just one example of exploiting that line. Another common way I like to crack web applications is that I upload an image to the server (many websites allow in a way or another) and that contains XSS, then I use the LOADFILE() command in MySQL to load the XSS into your database and most likely the data is being shown at some point in the application.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: SQLi susecptible?

Post by VladSun »

kaisellgren wrote:Another common way I like to crack web applications is that I upload an image to the server (many websites allow in a way or another) and that contains XSS, then I use the LOADFILE() command in MySQL to load the XSS into your database and most likely the data is being shown at some point in the application.
It's even worse when a SELECT (not INSERT) query is vulnerable. In such case, a SQL injection using OUTFILE is the worst that could happen to a web application (leading to a successful RCE).

@PCSpectra
I suspect that $_POST['memtype'] is validated somewhere in the code. Maybe a:

Code: Select all

$_POST['memtype'] = intval($_POST['memtype'])
line could be found.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SQLi susecptible?

Post by kaisellgren »

VladSun wrote:
kaisellgren wrote:Another common way I like to crack web applications is that I upload an image to the server (many websites allow in a way or another) and that contains XSS, then I use the LOADFILE() command in MySQL to load the XSS into your database and most likely the data is being shown at some point in the application.
It's even worse when a SELECT (not INSERT) query is vulnerable. In such case, a SQL injection using OUTFILE is the worst that could happen to a web application (leading to a successful RCE).

@PCSpectra
I suspect that $_POST['memtype'] is validated somewhere in the code. Maybe a:

Code: Select all

$_POST['memtype'] = intval($_POST['memtype'])
line could be found.
I'm not sure which is the worst thing that could happen to an application. DROP statements being vulnerable could have catastrophical damage, while SELECT would allow both RCE and LFI and almost anything such as getting the /etc/passwd. I knew a guy whose hosting account was closed, because an attacker exploited a vulnerability in CREATE statement and made so much spam that the database became too big and the hosting company kicked the customer out of their servers and he lost all data including the nightly backups :)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: SQLi susecptible?

Post by VladSun »

A RCE would permit you to do anything you want (i.e. as Apache user) - including DROP, CREATE, exposing local files, etc. That's why I think that RCE is one of the worst exploits that could happen to a web application.

PS: BTW, I still encourage you to participate in the hack game I offered you earlier - it's "this is a web site - root its server". I haven't played such a game at other hack-game sites.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: SQLi susecptible?

Post by kaisellgren »

VladSun wrote:A RCE would permit you to do anything you want (i.e. as Apache user) - including DROP, CREATE, exposing local file, etc. That's why I thing that RCE is one of the worst exploits that could happen to a web application.

PS: BTW, I still encourage you to participate in the hack game I offered you earlier - it's "this is a web site - root its server". I haven't played such a game at other hack-game sites.
You can also end up in a similar situation using an LFI providing that you have the skills, the time and the interest.

Isn't it spelled an LFI, an RCE, an SQL Injection, because you use "an" whenever you say the first letter as a vowel, right? Just thinking.

What was the link to that website?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: SQLi susecptible?

Post by VladSun »

kaisellgren wrote:What was the link to that website?
http://www.gat3way.eu/hack
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: SQLi susecptible?

Post by alex.barylski »

I suspect that $_POST['memtype'] is validated somewhere in the code. Maybe a:
There is in many instances an explicit casting, etc that is done, but my first day I stumbled upon a line which didn't and when I mentioned it, the other developer ismply told me to cast.

Security like this, makes me nervous as hell. They appear to be using prepared statements or so has been said, but I'm not sure if it's secure still, as there are many dynamically generated SQL.

The developer before had the common sense to at least disable as DELETE's anytime a record is removed it actually only has a flag set which prevents it from being displayed. Not sure I aree with that design, but at least in an adhoc environment it prevents the DB from being trashed. Oddly he appears to have a religious backup strategy.
Post Reply