Re: SQL Injection Question

[chintan dave <davechintan () gmail com>]

You didn't mention what DB is in use. If its sql server 2005, try
xp_cmdshell or other xp_* stored procedures. Tried to '; shutdown--?

Please don't shut the db down if it is prod environment. However you
can give it a shot if its QA.

It looks as if the back end SQL query is generated dynamically from
user supplied input. Even the stored procedure implementation is not a
secure one. Suggest parameterized queries and strong input validation.
This should be helpful. I have already covered exploitation part
before.

Hope this answers your question.

On Mon, Sep 20, 2010 at 6:06 AM, Kurt M.D John <kurt.md.john () gmail com> wrote:
> Hey Guys,
>
> take a look at the email below. I recently did a pentest and found that a
> site was vulnerable to sql injection but it was minimal. The user which runs
> the queries has read-only access and the information is public but an sql
> injection still spits out the full table nonetheless. The information below
> is what the DB Admin sent me in defence of the potential vulnerability. My
> question is, since it is vulnerable to sql injection can statements be
> mutated to get dangerous results such as privilege escalation, etc. I am not
> familiar with sql injection
>
>
> """ --Start DB Admin's defence
>
> I captured the select string from the form and found the they were in fact
> return a requested recorded set not a failed request. Here is an example of
> the captured string :
>
> SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME
>
> FROM PROJECT
>
> WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'
>
> ORDER BY PROJ_NBR , PROJ_NAME
>
> As you can see the request is for *FOLIO_NBR LIKE '' or '1'='1%'*
>
> The request does return folio_nbr that are blank
>
> I believe that because the form behind the scene constructs the “where
> clause” as follows:
>
> The value of PMSTPARCEL is ' or '1'='1
>
> *PFILTER = "PROJECT.FOLIO_NBR LIKE '" + PMSTPARCEL + "%'" *
>
> and sends this on to the stored procedure where it is assembled as follows
>
> *SET** @SELECTSTRING = 'INSERT INTO #TempTable SELECT
> PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE '*
>
> * *
>
> *SET** @ORDERBY =' ORDER BY PROJ_NBR , PROJ_NAME'*
>
> * *
>
> *SET** @SELECTSTRING = @SELECTSTRING + @PFILTER + @ORDERBY *
>
> Which yields :
>
> *SELECT** PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME *
>
> * FROM PROJECT*
>
> * WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'*
>
> * ORDER BY PROJ_NBR , PROJ_NAME*
>
> That SQL injection is not happening--End DB Admin's Defence """
>
> --
> --Kurt M.D. John, CISA, C|EH, CPT
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------



-- 
Regards,
Chintan Dave,

LinkedIn: http://in.linkedin.com/in/chintandave
Blog:http://www.chintandave.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------