Penetration Testing mailing list archives
Re: SQL Injection Question
From: Joe Peters <joepete () joepete com>
Date: Mon, 20 Sep 2010 08:29:45 -0400
On Sun, 2010-09-19 at 20:36 -0400, Kurt M.D John wrote:
Hey Guys, take a look at the email below. I recently did a pentest and found that a site was vulnerable to sql injection
[snipped long DBA's defense] The fundamental issue of any injection attack is the app is not validating input and translating potential commands into non-executable code (or the app just dying if it is an attack). The vulnerability of injection typically resides with the app developer, not the DBA (though it often exposes a sloppy DB too). The DBA seems to be saying the stored procedure works as expected, which is OK, but where I would start (no pun) is how the WHERE statement is constructed and validated in the app. The problem is that if there is a way of inserting a sql command into the Web form that is used to construct the request, now you can pass arbitrary commands to the DB server. What you want to see is the app escaping input like = ; ' " in whatever comes in via the HTTP/HTTPS request. Too many Web searches are written in a sloppy way. If someone searches for fred in a Web app, the app makes the request "WHERE x='fred';". This becomes easy to abuse if someone writes "fred OR 1=1" in the search form (1=1 always evaluates true and hence the SELECT will return everything). Simple example, but it might help explain injection. Read only access is enough to extract critical data (anything in that table that only some people are supposed to see?), or if you come up with the right query, you can probably launch denial of service easy enough, and sure if the backend server has some vulnerability, privilege escalation or root access is not out of the question. -- Joe Peters ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- SQL Injection Question Kurt M.D John (Sep 19)
- Re: SQL Injection Question Joe Peters (Sep 20)
- Re: SQL Injection Question chintan dave (Sep 20)
- Re: SQL Injection Question Dan Crowley (Sep 20)
- Re: SQL Injection Question Jason Ross (Sep 20)
- Re: SQL Injection Question Kurt M.D John (Sep 20)