Penetration Testing mailing list archives
Re: SQL Injection Question
From: chintan dave <davechintan () gmail com>
Date: Mon, 20 Sep 2010 18:07:46 +0530
You didn't mention what DB is in use. If its sql server 2005, try xp_cmdshell or other xp_* stored procedures. Tried to '; shutdown--? Please don't shut the db down if it is prod environment. However you can give it a shot if its QA. It looks as if the back end SQL query is generated dynamically from user supplied input. Even the stored procedure implementation is not a secure one. Suggest parameterized queries and strong input validation. This should be helpful. I have already covered exploitation part before. Hope this answers your question. On Mon, Sep 20, 2010 at 6:06 AM, Kurt M.D John <kurt.md.john () gmail com> wrote:
Hey Guys, take a look at the email below. I recently did a pentest and found that a site was vulnerable to sql injection but it was minimal. The user which runs the queries has read-only access and the information is public but an sql injection still spits out the full table nonetheless. The information below is what the DB Admin sent me in defence of the potential vulnerability. My question is, since it is vulnerable to sql injection can statements be mutated to get dangerous results such as privilege escalation, etc. I am not familiar with sql injection """ --Start DB Admin's defence I captured the select string from the form and found the they were in fact return a requested recorded set not a failed request. Here is an example of the captured string : SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%' ORDER BY PROJ_NBR , PROJ_NAME As you can see the request is for *FOLIO_NBR LIKE '' or '1'='1%'* The request does return folio_nbr that are blank I believe that because the form behind the scene constructs the “where clause” as follows: The value of PMSTPARCEL is ' or '1'='1 *PFILTER = "PROJECT.FOLIO_NBR LIKE '" + PMSTPARCEL + "%'" * and sends this on to the stored procedure where it is assembled as follows *SET** @SELECTSTRING = 'INSERT INTO #TempTable SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE '* * * *SET** @ORDERBY =' ORDER BY PROJ_NBR , PROJ_NAME'* * * *SET** @SELECTSTRING = @SELECTSTRING + @PFILTER + @ORDERBY * Which yields : *SELECT** PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME * * FROM PROJECT* * WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'* * ORDER BY PROJ_NBR , PROJ_NAME* That SQL injection is not happening--End DB Admin's Defence """ -- --Kurt M.D. John, CISA, C|EH, CPT ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Regards, Chintan Dave, LinkedIn: http://in.linkedin.com/in/chintandave Blog:http://www.chintandave.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- SQL Injection Question Kurt M.D John (Sep 19)
- Re: SQL Injection Question Joe Peters (Sep 20)
- Re: SQL Injection Question chintan dave (Sep 20)
- Re: SQL Injection Question Dan Crowley (Sep 20)
- Re: SQL Injection Question Jason Ross (Sep 20)
- Re: SQL Injection Question Kurt M.D John (Sep 20)