Home page logo
/

pen-test logo Penetration Testing mailing list archives

SQL Injection Question
From: "Kurt M.D John" <kurt.md.john () gmail com>
Date: Sun, 19 Sep 2010 20:36:09 -0400

Hey Guys,

take a look at the email below. I recently did a pentest and found that a site was vulnerable to sql injection but it was minimal. The user which runs the queries has read-only access and the information is public but an sql injection still spits out the full table nonetheless. The information below is what the DB Admin sent me in defence of the potential vulnerability. My question is, since it is vulnerable to sql injection can statements be mutated to get dangerous results such as privilege escalation, etc. I am not familiar with sql injection


""" --Start DB Admin's defence

I captured the select string from the form and found the they were in fact return a requested recorded set not a failed request. Here is an example of the captured string :

SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME

FROM PROJECT

WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'

ORDER BY PROJ_NBR , PROJ_NAME

As you can see the request is for *FOLIO_NBR LIKE '' or '1'='1%'*

The request does return folio_nbr that are blank

I believe that because the form behind the scene constructs the “where clause” as follows:

The value of PMSTPARCEL is ' or '1'='1

*PFILTER = "PROJECT.FOLIO_NBR LIKE '" + PMSTPARCEL + "%'" *

and sends this on to the stored procedure where it is assembled as follows

*SET** @SELECTSTRING = 'INSERT INTO #TempTable SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE '*

* *

*SET** @ORDERBY =' ORDER BY PROJ_NBR , PROJ_NAME'*

* *

*SET** @SELECTSTRING = @SELECTSTRING + @PFILTER + @ORDERBY *

Which yields :

*SELECT** PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME *

* FROM PROJECT*

* WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'*

* ORDER BY PROJ_NBR , PROJ_NAME*

That SQL injection is not happening--End DB Admin's Defence """

--
--Kurt M.D. John, CISA, C|EH, CPT


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]