Penetration Testing mailing list archives

SQL Injection Question

From: "Kurt M.D John" <kurt.md.john () gmail com>
Date: Sun, 19 Sep 2010 20:36:09 -0400

Hey Guys,

take a look at the email below. I recently did a pentest and found thata site was vulnerable to sql injection but it was minimal. The userwhich runs the queries has read-only access and the information ispublic but an sql injection still spits out the full table nonetheless.The information below is what the DB Admin sent me in defence of thepotential vulnerability. My question is, since it is vulnerable to sqlinjection can statements be mutated to get dangerous results such asprivilege escalation, etc. I am not familiar with sql injection



""" --Start DB Admin's defence

I captured the select string from the form and found the they were infact return a requested recorded set not a failed request. Here is anexample of the captured string :


SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME

FROM PROJECT

WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'

ORDER BY PROJ_NBR , PROJ_NAME

As you can see the request is for *FOLIO_NBR LIKE '' or '1'='1%'*

The request does return folio_nbr that are blank

I believe that because the form behind the scene constructs the “whereclause” as follows:


The value of PMSTPARCEL is ' or '1'='1

*PFILTER = "PROJECT.FOLIO_NBR LIKE '" + PMSTPARCEL + "%'" *

and sends this on to the stored procedure where it is assembled as follows

*SET** @SELECTSTRING = 'INSERT INTO #TempTable SELECTPROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE '*


* *

*SET** @ORDERBY =' ORDER BY PROJ_NBR , PROJ_NAME'*

* *

*SET** @SELECTSTRING = @SELECTSTRING + @PFILTER + @ORDERBY *

Which yields :

*SELECT** PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME *

* FROM PROJECT*

* WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'*

* ORDER BY PROJ_NBR , PROJ_NAME*

That SQL injection is not happening--End DB Admin's Defence """

--
--Kurt M.D. John, CISA, C|EH, CPT


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

SQL Injection Question Kurt M.D John (Sep 19)
- Re: SQL Injection Question Joe Peters (Sep 20)
- Re: SQL Injection Question chintan dave (Sep 20)
- Re: SQL Injection Question Dan Crowley (Sep 20)
- Re: SQL Injection Question Jason Ross (Sep 20)
  - Re: SQL Injection Question Kurt M.D John (Sep 20)