Penetration Testing mailing list archives

Re: SQL Injection Question

From: Joe Peters <joepete () joepete com>
Date: Mon, 20 Sep 2010 08:29:45 -0400

On Sun, 2010-09-19 at 20:36 -0400, Kurt M.D John wrote:

Hey Guys,

take a look at the email below. I recently did a pentest and found that 
a site was vulnerable to sql injection

[snipped long DBA's defense]

The fundamental issue of any injection attack is the app is not
validating input and translating potential commands into non-executable
code (or the app just dying if it is an attack). The vulnerability of
injection typically resides with the app developer, not the DBA (though
it often exposes a sloppy DB too).

The DBA seems to be saying the stored procedure works as expected, which
is OK, but where I would start (no pun) is how the WHERE statement is
constructed and validated in the app. The problem is that if there is a
way of inserting a sql command into the Web form that is used to
construct the request, now you can pass arbitrary commands to the DB
server. What you want to see is the app escaping input like = ; ' " in
whatever comes in via the HTTP/HTTPS request. Too many Web searches are
written in a sloppy way. If someone searches for fred in a Web app, the
app makes the request "WHERE x='fred';". This becomes easy to abuse if
someone writes "fred OR 1=1" in the search form (1=1 always evaluates
true and hence the SELECT will return everything). Simple example, but
it might help explain injection.

Read only access is enough to extract critical data (anything in that
table that only some people are supposed to see?), or if you come up
with the right query, you can probably launch denial of service  easy
enough, and sure if the backend server has some vulnerability, privilege
escalation or root access is not out of the question.

--
Joe Peters





------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

SQL Injection Question Kurt M.D John (Sep 19)
- Re: SQL Injection Question Joe Peters (Sep 20)
- Re: SQL Injection Question chintan dave (Sep 20)
- Re: SQL Injection Question Dan Crowley (Sep 20)
- Re: SQL Injection Question Jason Ross (Sep 20)
  - Re: SQL Injection Question Kurt M.D John (Sep 20)