View previous topic :: View next topic |
Author |
Message |
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Sun Dec 01, 2002 5:22 pm Post subject: Exploiting SQL Injection |
|
|
Hi, this was taken from the following URL: http://www.security-forums.com/forum/viewtopic.php?t=602
saxo wrote: |
5. Do Not Send SQL Queries Without Filtering User Input
SQL Injection is the process of exploiting a Web application, usually through a Web form, tricking it to pass malicious SQL statements to the database server. With Microsoft's SQL Server, this is often done by entering a single quote in the Web form, followed by the correctly formed SQL. For example, consider the following code to authenticate a user from a Web form:
strSQL="SELECT * FROM Customers WHERE Username = '" &Request("Username") & "' & Password = '" & strPassword & "'"
Now this code is quite typical of what you would see in a Web application. However, consider what would happen if the user entered the following:
Username: Test
Password: ' or True
When the strSQL string is built, the resulting SQL will be as follows:
strSQL="SELECT * FROM Customers WHERE Username = 'ValidUser' & Password= '' or True --'"
This statement will essentially return the ValidUser customer, regardless of what password is set for that account; the True condition will always cause the WHERE condition to match. Note that the double dash ("--") at the end of the statement acts as a comment character, ignoring the remaining characters.
To sanitize form input for sending to a database, always be sure to escape the single quote by searching and replacing it with two single quotes. This will cause the database to send the quote string as a literal character rather than interpreting it as the closing of a string. Be aware, however, that since numeric input does not require quotes, this technique will not be effective. In the case of numeric input, simply check that the form input is indeed numeric.
|
My question is, how do change the the statement type. Ie, if you have a select statement, how can you change this to a delete * statement on the fly?
Cheers,
J
|
|
Back to top |
|
|
AverageJoeUser Just Arrived
Joined: 18 Dec 2002 Posts: 0 Location: US
|
Posted: Fri Dec 20, 2002 12:31 am Post subject: |
|
|
I would suggest looking around the 'net for some good papers. Off the top of my head, look to www.sqlsecurity.com and www.ngssoftware.com for some additional insight.
-AJ
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Fri Dec 20, 2002 1:26 am Post subject: |
|
|
I'm pretty sure I posted something about how to exploit SQL injection...but I'm buggered if I can find it.
Maybe it was on usenet..
|
|
Back to top |
|
|
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Fri Dec 20, 2002 2:02 am Post subject: |
|
|
I think i figured this out a little while ago:
Quote: |
Select * from customers where name = 'joe' ; delete * from customers
|
From what i understand, the semicolon is supposed to let you "finish" the current statement and begin a new one. Not tested it.
Thanks for possting though. Will book mark the sites for future reference.
J
|
|
Back to top |
|
|
AverageJoeUser Just Arrived
Joined: 18 Dec 2002 Posts: 0 Location: US
|
Posted: Fri Dec 20, 2002 6:55 pm Post subject: |
|
|
A good way to test for site vulnerability is to simply throw in a single quote (') in all user input fields. If these are feed directly into a SQL statement, it should fail (because you are appending an un-closed open quotation in the statement). This meaning that the backend DB is exposed and the front-end application is subject to exploit.
Also, user input is not limited to user input fields. Typical attack routes are URL querystring parameters, 'hidden' fields, cookies, and any other point where data from is used/expected from the client/user. Further, ASP-bound SQL can/will expose DB structure through standard ODBC error messages...so do your best to remove SQL from the presentation layer.
Anyway, those sites should offer enough information on what to look for. Good luck!
-AJ
|
|
Back to top |
|
|
Jason Forum Fanatic
Joined: 19 Sep 2002 Posts: 16777215
|
Posted: Fri Dec 20, 2002 7:05 pm Post subject: |
|
|
Cheers mate.
I got to that stage, it was just working out how to do something malicious with a select statement that i needed a bit of help with.
Thanks again.
J
|
|
Back to top |
|
|
Giro New Member
Joined: 25 Mar 2004 Posts: 22 Location: England
|
|
Back to top |
|
|
ComSec Trusted SF Member
Joined: 26 Jul 2002 Posts: 16777215
|
Posted: Sat Dec 21, 2002 12:58 am Post subject: |
|
|
here is another url link i posted ,related to SQL,you might pick some info up from here...dont know if its been up-dated yet with a few programs.
http://www.sqlsecurity.com/scripts.asp
|
|
Back to top |
|
|
|