WebApp Sec mailing list archives
RE: SQL Injection Basics
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Tue, 11 Feb 2003 10:43:39 -0500
Standard disclaimer: prepared statement "injection protection" varies by application environment, database driver, and database. Make sure you test your environment. Phil
-----Original Message----- From: Kevin Spett [mailto:kspett () spidynamics com] Sent: Monday, February 10, 2003 10:27 PM To: Keith Smith; rnilsen () catalystone com; 'Taco Fleur'; webappsec () securityfocus com Cc: 'Nick Jacobsen' Subject: Re: SQL Injection Basics ADO Commands Objects. Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "Keith Smith" <ksmith () firesnacks com> To: <rnilsen () catalystone com>; "'Taco Fleur'" <tacofleur () nella net au>; <webappsec () securityfocus com> Cc: "'Nick Jacobsen'" <nick () ethicsdesign com> Sent: Monday, February 10, 2003 8:11 PM Subject: RE: SQL Injection BasicsRobert: In ASP, what is equivalent to a prepared statement... i.e. must one useforexample a Stored Procedure in MS SQL Server, or is theresome ASP code levelmeans of doing so... e.g. Recordsets etc. Any good sources for information here? Keith -----Original Message----- From: Robert Nilsen [mailto:rnilsen () catalystone com] Sent: Monday February 10, 2003 6:08 PM To: Taco Fleur; webappsec () securityfocus com Cc: Nick Jacobsen Subject: RE: SQL Injection Basics I might be missing the point here (and surely it must have been posted/explained before), but in my world, the safest wayto do SQL isthrough prepared statements, a.k.a. bind variables/paramenters whenever someone out in the client segment has "touched" the input. Rule number one must always be to never thrust the client!And beingsloppy just once with validation could mean the end of yourdata = notputting focus onsecurity!By using prepared statements, the code is safer AND, in most cases, thenextrun will execute quicker. -Robert -----Original Message----- From: Taco Fleur [mailto:tacofleur () nella net au] Sent: 10. februar 2003 23:31 To: webappsec () securityfocus com Cc: Nick Jacobsen Subject: Re: SQL Injection Basics SQL Injection works only when 1. SELECT * FROM foo WHERE foobar = $var 2. SELECT * FROM foo WHERE foobar = '$var' In number 1, if the variable is not checked for the type of integer people can submit for example /urlstring/index.cfm?var=1; AND NASTY CODE HERE In number 2, if the variable is not checked for tick marks,and doesnot escape any that are found/urlstring/index.cfm?var=blah' AND NASTYCODE HERE -- In ColdFusion ALL ticks submitted are escaped, I'm suremore languagesout there do that. Anyway, what I am after is the backdoor, the Unicode equivalent... Anyone? I got this %25%32%37 from Davy, which makes sense butstill does notwork with ColdFusion The following is the result SELECT category FROM mytable WHERE (category = '%27') I am trying to find all possible ways for SQL Insertion so I can protect myself against it. Like I said I already convertany charterslike ' () < > to its HTML equivalent, but I beleive thereis a way toget around this with Unicode, but not sure... ----- Original Message ----- From: "Nick Jacobsen" <nick () ethicsdesign com> To: <dhurst () spidynamics com>; <webappsec () securityfocus com> Sent: Tuesday, February 11, 2003 7:37 AM Subject: Re: SQL Injection BasicsRight, I wasn't thinking too well... makes sense. Though, according to quite a few SQL injection faqs I have read, it said that you could only inject code if the developer usedtick marks.However, I just recentlyusedSQL injection on some code where the developer used NOtick marks,but injection still worked if the injection string contained TWO tick marks. Was this just a fluke, or is it somethingthat the faqshad wrong? Nick J. nick () ethicsdesign com ----- Original Message ----- From: "Dennis Hurst" <dhurst () spidynamics com> To: "'Nick Jacobsen'" <nick () ethicsdesign com> Cc: <webappsec () securityfocus com> Sent: Monday, February 10, 2003 8:59 AM Subject: RE: SQL Injection BasicsNick, Good question, but SQL Injection is absolutely an issue in VBScript(ASPpages). Here's the deal, the ' only acts as a commentif it's inthe source code, not when it's in a variable. So... If you have code that looks like this: Dim sSql, rs, oConnection '..... Setup the connection...... sSql = "Select * from myCustomers where FirstName = '" & Request("txtFirstName") & "'" Set rs = oConnection.Execute(sSql) '.....do something with the returned data..... And a user puts a ' in the text box called txtFirstNameyou end up withsomething that acts like this: Dim sSql, rs, oConnection '..... Setup the connection...... sSql = "Select * from myCustomers where FirstName = '''" Set rs = oConnection.Execute(sSql) '.....do something with the returned data..... Have a great day, Dennis Hurst dhurst () spidynamics com SPI Labs -----Original Message----- From: Nick Jacobsen [mailto:nick () ethicsdesign com] Sent: Monday, February 10, 2003 6:07 AM To: Loki; raul.johhut () hushmail com Cc: webappsec () securityfocus com Subject: Re: SQL Injection Basics Hmm... just a gues here, but if a developer is usingVBScript asthe scripting language, would SQL injection beimpossible, sinceinVBScriptthe " ' " mark is a comment mark, and therefore never used in SQL statements? Nick J nick () ethicsdesign com ----- Original Message ----- From: "Loki" <loki () fatelabs com> To: <raul.johhut () hushmail com> Cc: <webappsec () securityfocus com> Sent: Saturday, February 08, 2003 9:16 PM Subject: Re: SQL Injection BasicsRaul: SQL injection is not replacing the userid field inthe url with"sdfsd",its escaping an SQL query with a single tick (') that the developer doesn't escape (or in the case of PHP, GLOBALS is turned on in the php.ini). SQL injection is simply altering the SQL query sent to the SQLserverand executing an a malicious query instead of whatwas expectedbythedeveloper. Depending on the remote server (Oracle, Microsoft SQL,MySQL,PostgreSQL), these statements will only differ based on their stored procedures. Microsoft SQL containing the more fun procedure of (xp_cmdshell) :) e.g. 'SELECT * FROM USERS Username: ' or 1=1-- There are several papers available on SQL injectionattacks, onein particular written by Chris Anley at http://www.nextgenss.com/research/papers.html Typically, you can quickly check web apps for vulnerability toinjectionby just entering a single tick (') in the formsubmission field,hittingsubmit, and looking for any errors such as ODBC, etc. Loki Fate Research Labs www.fatelabs.com On Sat, 2003-02-08 at 20:21, raul.johhut () hushmail com wrote:I am pen testing a webapp and am having someproblems with SQLinjection.The app creates an ODBC error. Is this a garuntee of SQL Injection?If I use www.victim/test.asp?userid=sfdsd the error is "inncorrect syntax near line 28 oftest.asp" (or thatsthe English translation equiv in my case).I know the database is called master, and has a table test. Whatisthe syntax I should use ?What are the best freeware and open source toolsfor testingSQLinjection ? I tried WPosion which was OK.I also tried WebSleuth (which seems to have gone from GPL toclosedsource commercial btw). Am I right is saying that theSQL pluginhastoconnect directly to the database to work ? I can onlysee port 80so don't think this will work ?Thanks, Raul. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427-- Loki <loki () fatelabs com>
Current thread:
- Re: SQL Injection Basics, (continued)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics Ken Anderson (Feb 11)
- WebSleuth and the SQLInjeciton Plugin Phil Cox (Mar 10)
- Re: WebSleuth and the SQLInjeciton Plugin Chip Andrews (Mar 10)
- Re: SQL Injection Basics Kevin Spett (Feb 11)
- RE: SQL Injection Basics Patrick Debois (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 11)
- Re: SQL Injection Basics Mark Curphey (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 12)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 12)