Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: SQL Injection Question
From: chintan dave <davechintan () gmail com>
Date: Mon, 20 Sep 2010 18:07:46 +0530

You didn't mention what DB is in use. If its sql server 2005, try
xp_cmdshell or other xp_* stored procedures. Tried to '; shutdown--?

Please don't shut the db down if it is prod environment. However you
can give it a shot if its QA.

It looks as if the back end SQL query is generated dynamically from
user supplied input. Even the stored procedure implementation is not a
secure one. Suggest parameterized queries and strong input validation.
This should be helpful. I have already covered exploitation part
before.

Hope this answers your question.

On Mon, Sep 20, 2010 at 6:06 AM, Kurt M.D John <kurt.md.john () gmail com> wrote:
Hey Guys,

take a look at the email below. I recently did a pentest and found that a
site was vulnerable to sql injection but it was minimal. The user which runs
the queries has read-only access and the information is public but an sql
injection still spits out the full table nonetheless. The information below
is what the DB Admin sent me in defence of the potential vulnerability. My
question is, since it is vulnerable to sql injection can statements be
mutated to get dangerous results such as privilege escalation, etc. I am not
familiar with sql injection


""" --Start DB Admin's defence

I captured the select string from the form and found the they were in fact
return a requested recorded set not a failed request. Here is an example of
the captured string :

SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME

FROM PROJECT

WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'

ORDER BY PROJ_NBR , PROJ_NAME

As you can see the request is for *FOLIO_NBR LIKE '' or '1'='1%'*

The request does return folio_nbr that are blank

I believe that because the form behind the scene constructs the “where
clause” as follows:

The value of PMSTPARCEL is ' or '1'='1

*PFILTER = "PROJECT.FOLIO_NBR LIKE '" + PMSTPARCEL + "%'" *

and sends this on to the stored procedure where it is assembled as follows

*SET** @SELECTSTRING = 'INSERT INTO #TempTable SELECT
PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE '*

* *

*SET** @ORDERBY =' ORDER BY PROJ_NBR , PROJ_NAME'*

* *

*SET** @SELECTSTRING = @SELECTSTRING + @PFILTER + @ORDERBY *

Which yields :

*SELECT** PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME *

* FROM PROJECT*

* WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'*

* ORDER BY PROJ_NBR , PROJ_NAME*

That SQL injection is not happening--End DB Admin's Defence """

--
--Kurt M.D. John, CISA, C|EH, CPT


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------





-- 
Regards,
Chintan Dave,

LinkedIn: http://in.linkedin.com/in/chintandave
Blog:http://www.chintandave.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault