Page 1 of 1

SQLi susecptible?

Posted: Tue Feb 17, 2009 9:16 am
by alex.barylski
I have the following SQL I just stumbled upon and have checked all all previous code to ensure nothing was being changed...these $_POST globals are not validated and appear to be used inline with the SQL statement, injection waiting to occur or am I missing something?

[sql] $ins_qry_def="INSERT INTO PORTAL_USER (pu_id_admin, pu_id_sha1, pum_id, pu_licenses, spl_id, sp_id, wtc_id, usr, eml, pwd, pu_salute, pu_fname, pu_mname, pu_lname, trusted, active, userid, datemod)VALUES (NULL, NULL, "."'".($_POST['memtype']==2 ? "3" : $_POST['memtype'])."'".", "."'".($_POST['memtype']== 3 ? "5" : $_POST['memtype']==2 ? "1" : "0")."'".", '0', '0', '0', "."'".mssql_escape($_POST['username'])."'".", "."'".mssql_escape($_POST['emaiaddr'])."'".", "."'".$_POST['password']."'".", NULL, "."'".mssql_escape($_POST['firsname'])."'".", NULL, "."'".mssql_escape($_POST['lastname'])."'".", '0', '1', '0', GETDATE())"; [/sql]

Is this code vulnerable to SQLi or not because the injected insecure variables are inside 'VALUES'?

What POST variable would be best used to carry out a SELECT to find all users in database or similar?

Seeing as I have never actually carried out a SQL exploit, would someone demonstrate using the code above as a starting point?

Re: SQLi susecptible?

Posted: Tue Feb 17, 2009 9:17 am
by alex.barylski
By the way this is a MSSQL database not sure if that changes anything?

Re: SQLi susecptible?

Posted: Tue Feb 17, 2009 9:29 am
by VladSun
I think this line is vulnerable to SQL injections:

Code: Select all

"."'".($_POST['memtype']==2 ? "3" : $_POST['memtype'])."'".",
You may use a subselect query to insert some secret data from the DB into a record which you can view later.

Re: SQLi susecptible?

Posted: Tue Feb 17, 2009 9:38 am
by alex.barylski
You may use a subselect query to insert some secret data from the DB into a record which you can view later.
Can you show me how I might go about doing that? Why would I insert data? The argument has to be strong enough that it warrnats a re-design of an entire application -- it's beyond refactoring. :P

I figure if anything will get them to agree it'll be security issues which can expose their data.

Re: SQLi susecptible?

Posted: Tue Feb 17, 2009 9:41 am
by VladSun
Just set the value of $_POST['memtype'] to a string which will construct a proper query for the attacked insert and add a "comment" char sequence at its end in order to remove the rest of the original query.

PS: I'm not sure we are permitted to discuss such things in this forum :)

Re: SQLi susecptible?

Posted: Tue Feb 17, 2009 10:34 am
by alex.barylski
I have seen worse. :)

Beside I don't think I have ever said or insinuated anything in the past to suggest I was interested in hacking. I joined a project really late and it's in serious need of repair.

Re: SQLi susecptible?

Posted: Wed Feb 18, 2009 1:30 pm
by kaisellgren
Yes it is vulnerable to SQL Injection attacks. I do not understand, you have mssql_escape() in the end of the query, but why did you not escape the "memtype" values? MySQL, for instance, allows an insert of "INSERT INTO ... SELECT", so an attacker can just close the parenthesis and start a SELECT clause and use something like SELECT INTO OUTFILE and save all your database info into a publicly readable file. That's just one example of exploiting that line. Another common way I like to crack web applications is that I upload an image to the server (many websites allow in a way or another) and that contains XSS, then I use the LOADFILE() command in MySQL to load the XSS into your database and most likely the data is being shown at some point in the application.

Re: SQLi susecptible?

Posted: Wed Feb 18, 2009 2:03 pm
by VladSun
kaisellgren wrote:Another common way I like to crack web applications is that I upload an image to the server (many websites allow in a way or another) and that contains XSS, then I use the LOADFILE() command in MySQL to load the XSS into your database and most likely the data is being shown at some point in the application.
It's even worse when a SELECT (not INSERT) query is vulnerable. In such case, a SQL injection using OUTFILE is the worst that could happen to a web application (leading to a successful RCE).

@PCSpectra
I suspect that $_POST['memtype'] is validated somewhere in the code. Maybe a:

Code: Select all

$_POST['memtype'] = intval($_POST['memtype'])
line could be found.

Re: SQLi susecptible?

Posted: Wed Feb 18, 2009 2:15 pm
by kaisellgren
VladSun wrote:
kaisellgren wrote:Another common way I like to crack web applications is that I upload an image to the server (many websites allow in a way or another) and that contains XSS, then I use the LOADFILE() command in MySQL to load the XSS into your database and most likely the data is being shown at some point in the application.
It's even worse when a SELECT (not INSERT) query is vulnerable. In such case, a SQL injection using OUTFILE is the worst that could happen to a web application (leading to a successful RCE).

@PCSpectra
I suspect that $_POST['memtype'] is validated somewhere in the code. Maybe a:

Code: Select all

$_POST['memtype'] = intval($_POST['memtype'])
line could be found.
I'm not sure which is the worst thing that could happen to an application. DROP statements being vulnerable could have catastrophical damage, while SELECT would allow both RCE and LFI and almost anything such as getting the /etc/passwd. I knew a guy whose hosting account was closed, because an attacker exploited a vulnerability in CREATE statement and made so much spam that the database became too big and the hosting company kicked the customer out of their servers and he lost all data including the nightly backups :)

Re: SQLi susecptible?

Posted: Wed Feb 18, 2009 2:27 pm
by VladSun
A RCE would permit you to do anything you want (i.e. as Apache user) - including DROP, CREATE, exposing local files, etc. That's why I think that RCE is one of the worst exploits that could happen to a web application.

PS: BTW, I still encourage you to participate in the hack game I offered you earlier - it's "this is a web site - root its server". I haven't played such a game at other hack-game sites.

Re: SQLi susecptible?

Posted: Wed Feb 18, 2009 2:34 pm
by kaisellgren
VladSun wrote:A RCE would permit you to do anything you want (i.e. as Apache user) - including DROP, CREATE, exposing local file, etc. That's why I thing that RCE is one of the worst exploits that could happen to a web application.

PS: BTW, I still encourage you to participate in the hack game I offered you earlier - it's "this is a web site - root its server". I haven't played such a game at other hack-game sites.
You can also end up in a similar situation using an LFI providing that you have the skills, the time and the interest.

Isn't it spelled an LFI, an RCE, an SQL Injection, because you use "an" whenever you say the first letter as a vowel, right? Just thinking.

What was the link to that website?

Re: SQLi susecptible?

Posted: Wed Feb 18, 2009 4:20 pm
by VladSun
kaisellgren wrote:What was the link to that website?
http://www.gat3way.eu/hack

Re: SQLi susecptible?

Posted: Fri Feb 20, 2009 6:24 pm
by alex.barylski
I suspect that $_POST['memtype'] is validated somewhere in the code. Maybe a:
There is in many instances an explicit casting, etc that is done, but my first day I stumbled upon a line which didn't and when I mentioned it, the other developer ismply told me to cast.

Security like this, makes me nervous as hell. They appear to be using prepared statements or so has been said, but I'm not sure if it's secure still, as there are many dynamically generated SQL.

The developer before had the common sense to at least disable as DELETE's anytime a record is removed it actually only has a flag set which prevents it from being displayed. Not sure I aree with that design, but at least in an adhoc environment it prevents the DB from being trashed. Oddly he appears to have a religious backup strategy.