Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Row-0 mitigation of SQL injection
From: "Zed Qyves" <zqyves.spamtrap () gmail com>
Date: Thu, 7 Jun 2007 10:17:02 +0300


Although interesting, it is quite inneficient in my opinion, at least
as far as stopping attacks.

Experience have shown, to me at least, that once you have an SQL
injection, one way or another (that is the easy (*)or the hard
way(**)), you will be able to deduce the db schema in terms of tables
and columns.

(*) Detailed error messages, having 1=1 and groups afterwards, etc...
(**) Blind, Bruteforce union select field types and number etc...

After that, and since you have control over a query then the first
line is whatever you tell it to be. consider the following:

select * from users where login = 'zavarakatranemia' union select
<insert fields that meet the UNION SELECT requirements here> from
<table you want>;

Unless you have a user called zavarakatranemia then having a dummy
first row won't do you any good.


On 6/7/07, Jim Halfpenny <jimsmailinglists () gmail com> wrote:
One thing I've noticed about SQL injection is that quite often the
injected code returns a data set and the vulnerable application plucks
the first row from the set. Consider a simple example where a login
form is vulnerable and the following code is generated:

select * from users where login = '' or 'a' = 'a';

Instead of returning one row as expected the whole table is returned
and the application more often than not reads the first row. This hack
is especially bad if the first user in the table has admin right,
which is often the case.

One way of potentially hobbling simple SQL injection would be to
insert a sentinel record at the beginning of the table (hence the
row-0 concept). This this row is ever returned the the application can
be made aware something bad has happened.

Does this sound like a good idea, or does it encourage poor coding by
having a safety net? All comments welcome.


This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


ἐν τῇδ᾽ ἔφασκε γῇ· τὸ δὲ ζητούμενον
ἁλωτόν, ἐκφεύγειν δὲ τἀμελούμενον.
Οιδίπους Τύρρανος [110]
In this our land, so said he, those who seek  Shall find; unsought, we
lose it utterly.
Oedipus Rex [110]

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]