Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL Injection

From: thorhs () demon nyherji is
Date: Tue, 18 Sep 2001 13:12:20 +0000
Hi,

Sorry for this post if I'm wrong, but what I've allways done to
prevent nasty problems like this is to use prepared statements.

I come from a world of DB2, and thing may differ a bit on other
systems.  If I use a prepared statement, I place question marks
where ever the data from my appliation should go, ie:
        UPDATE users SET password=? WHERE username=?

Doing this totaly circumvents problems like the one described,
since the data is sent to the database driver as a seperate string
from the query.  Using '=' allso stops folks from using wildcards
like '%' in the username to change all the passwords, since wildcard
need the LIKE directive in stead of '='.

Another thing is that this method does type conversions for you.

I know that you still need to 'wash' the input to eliminate dangeorus
HTML and JavaScript content, but the risk to your database is greatly
reduced.

I allso know that using prepared statements might not be applicable in
all software (php?, mysql?).  If that is the case, then I would
recomend switching to systems that have this feature.

Another thing to consider is that there is some compilation time
involved in the preparing of statements, but so is it in compilation
of 'one-shot' statements.  I'm not aware of the difference so I don't
know which is faster.  Using the same prepared statement over and over
is faster than multiple 'one-shot' statements though.

Hope this helps,

Thorhallur Sverrisson,
thorhs () demon nyherji is

On Sat, Sep 08, 2001 at 04:28:34PM +0200, Sverre H. Huseby wrote:

[Kevin Spett]

|   I would like to know if there are other ways of doing this.

You could look for a place where your input is stored in a databse
without validation, and insert a sub-select that picks up the
information you want.

Example: I was working my way through a system yesterday.  In this
system I could register new users.  On the user preferences page, I
could change my E-mail address.  Fortunately, the programmers had
forgotten to "wash" the input, so I was able to enter the following as
my E-mail address:

  ' + (SELECT password FROM users WHERE username='foobar') + '

The + signs are used for string concatenation in MS SQL Server.  After
entering this text, my E-mail field was updated to contain the
password of the user foobar.  (Long live clear text passwords! :) )

My input probably resultet in an SQL query that looks like this:

  UPDATE users
  SET email='' + (SELECT password FROM users WHERE username='foobar') + ''
             ------------------------------------------------------------
  WHERE username='sverre'

The underlined text is the "E-mail address" provided by me.

Hope this helps a litte bit.


Sverre.

-- 
shh () thathost com                   Try my Nerd Quiz at
http://shh.thathost.com/              http://nerdquiz.thathost.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: