Penetration Testing
SQL Injection Question Sep 20 2010 12:36AM
Kurt M.D John (kurt md john gmail com) (4 replies)
Hey Guys,

take a look at the email below. I recently did a pentest and found that
a site was vulnerable to sql injection but it was minimal. The user
which runs the queries has read-only access and the information is
public but an sql injection still spits out the full table nonetheless.
The information below is what the DB Admin sent me in defence of the
potential vulnerability. My question is, since it is vulnerable to sql
injection can statements be mutated to get dangerous results such as
privilege escalation, etc. I am not familiar with sql injection

""" --Start DB Admin's defence

I captured the select string from the form and found the they were in
fact return a requested recorded set not a failed request. Here is an
example of the captured string :

SELECT PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME

FROM PROJECT

WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'

ORDER BY PROJ_NBR , PROJ_NAME

As you can see the request is for *FOLIO_NBR LIKE '' or '1'='1%'*

The request does return folio_nbr that are blank

I believe that because the form behind the scene constructs the ?where
clause? as follows:

The value of PMSTPARCEL is ' or '1'='1

*PFILTER = "PROJECT.FOLIO_NBR LIKE '" + PMSTPARCEL + "%'" *

and sends this on to the stored procedure where it is assembled as follows

*SET** @SELECTSTRING = 'INSERT INTO #TempTable SELECT
PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME FROM PROJECT WHERE '*

* *

*SET** @ORDERBY =' ORDER BY PROJ_NBR , PROJ_NAME'*

* *

*SET** @SELECTSTRING = @SELECTSTRING + @PFILTER + @ORDERBY *

Which yields :

*SELECT** PROJ_NBR,STATUS,FOLIO_NBR,PROJ_NAME *

* FROM PROJECT*

* WHERE PROJECT.FOLIO_NBR LIKE '' or '1'='1%'*

* ORDER BY PROJ_NBR , PROJ_NAME*

That SQL injection is not happening--End DB Admin's Defence """

--
--Kurt M.D. John, CISA, C|EH, CPT

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]
Re: SQL Injection Question Sep 20 2010 01:57PM
Jason Ross (algorythm gmail com) (1 replies)
Re: SQL Injection Question Sep 20 2010 02:56PM
Kurt M.D John (kurt md john gmail com)
Re: SQL Injection Question Sep 20 2010 01:44PM
Dan Crowley (dcrowley coresecurity com)
Re: SQL Injection Question Sep 20 2010 12:37PM
chintan dave (davechintan gmail com)
Re: SQL Injection Question Sep 20 2010 12:29PM
Joe Peters (joepete joepete com)


 

Privacy Statement
Copyright 2010, SecurityFocus