Vulnerability Development mailing list archives
malformed sql queries
From: "Gabriel A. Maggiotti" <gmaggiot () ciudad com ar>
Date: Sat, 29 Dec 2001 20:59:51 -0300
========================================== = Malformed SQL query = =----------------------------------------= = Author: Gabriel A. Maggiotti = =----------------------------------------= = Email: gmaggiot () ciudad com ar = =----------------------------------------= = Webpage: http://qb0x.net = ========================================== The goal of this type of vulnerability is modifying the original SQL query. Supposing that a dynamic webpage runs a query in a database server and trying to imagine the query structure, it's possible to modify the same query with the goal of injecting a malformed one. The following examples were proven with this architecture: - Intel 686 - Apache/1.3.14(Unix) - PHP/4.0.2 - perl v5.6.0 - Mysql 3.23.25 - Probably works in other architectures. A common query: (1) SELECT * from table WHERE id=$id where $id is a variable that the web progammer use to perform the query. This implies that the variable is potentially revalueable (if is not checked before using it). We could inject some malicious query in this way: http://www.host.com/file?id="malicious_code" Mysql( I don't know if it is a SQL standard), allows to make this type of query: SELECT * FROM table INTO outfile '/tmp/file.txt'; This query writes the output of "SELECT * FROM table" into "/tmp/file.txt". Depending on the server permissions, the reach of this vulnerability. In mysql case, it doesn't rewrite files. Injecting the malicious query(1): - For webserver Apache with cgi's in perl( but works for others ) http://www.host.com/file?id=121%20into%20outfile%20'/tmp/file.txt' Where "%20" is the hexa of the blank character. Good!!!, with this one you are able to write in "/tmp/file.txt", but the content is the result of the original query. It's at this point where is up to your imagination to create a useful query. :)) Also is posible to read any file, making a query and dumping the result to a table. (2) LOAD DATA INFILE "/etc/passwd" INTO TABLE table; This query keeps in the table "table" the content from passwd, depending on the permissions of mysql daemon. If I choose the table correctly: CREATE TABLE table( txt text ); I could inject the malicious query in this way: http://www.host.com/file?id=121%20load%20data%20in%20file%20'/root/passwd' .... Currently, I'm writing more about this kind of vulnerabilities
Current thread:
- malformed sql queries Gabriel A. Maggiotti (Dec 29)
- Re: malformed sql queries JayBonci (Dec 29)
- Re: malformed sql queries Francois Scala (Dec 30)
- <Possible follow-ups>
- Re: malformed sql queries Peter Gutmann (Dec 29)
- Re: malformed sql queries JayBonci (Dec 29)
- Re: malformed sql queries Peter Gutmann (Dec 29)
- Re: malformed sql queries Blue Boar (Dec 29)
- Re: malformed sql queries Kevin Hegg (Dec 31)