Re: Paper: SQL Injection Attacks by Example

To: "Scovetta, Michael V" <Michael.Scovetta@xxxxxx>
Subject: Re: Paper: SQL Injection Attacks by Example
From: Chip Andrews <chip@xxxxxxxxxxxxxxx>
Date: Wed, 05 Jan 2005 16:37:51 -0500
Cc: David Litchfield <davidl@xxxxxxxxxxxxxxx>, Steve Friedl <steve@xxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <8DC79B1EA961734C852BE2D5ECC069A001A7E220@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <8DC79B1EA961734C852BE2D5ECC069A001A7E220@xxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

Michael,

I think David's point was that the lack of input validation that causedthe SQL injection problem in the first place will not be mitigated bychanging to a stored procedure. For example if we changed the followingstandard query implementation:

Set myRS = Conn.execute("select foo from bar where id=" &request.form("someIntValue"))


To the following Stored Procedure implementation:

Set myRS = Conn.execute("exec usp_getFooBar " &request.form("someIntValue"))

We have not mitigated anything. (simply supply the following exploitcode in the second example: 1;exec master..xp_cmdshell'blahblahblah'-- etc etc) It doesn't matter that the stored procedureinput was well typed - our injection happens outside the storedprocedure anyway. And, as you mentioned, if the stored procedure usesthe EXECUTE statment or sp_executesql procedures then we *may* stillhave a SQL injection issue INSIDE the stored procedure as well.

If the response is "well, of course, you need to call your storedprocedure using a parameterized query". However, if we usedparameterized queries then both are mitigated so changing to a storedprocedure is a wash.The correct way to do data access above is like this (C# sample):(whether you use stored procs or not)


//Begin Sample
con = new SqlConnection(YourConnectionString);
con.Open();
string CommandText = "usp_getFooBar";
cmd = new SqlCommand(CommandText,con);
cmd.CommandType = StoredProcedure;   //Change to Text for an adhoc query
cmd.Parameters.Add(new SqlParameter("@ID", System.Data.SqlDbType.Int );
cmd.Parameters["@ID"].Value = Request.Form("someIntValue");
SqlDataReader rdr = cmd.ExecuteReader();
//close stuff as usual
//End Sample

Chip Andrews
www.sqlsecurity.com


Scovetta, Michael V wrote:

David,

Actually, to nitpick your comment a bit, stored procedures usually have
typed input variables:

        create procedure foo ( a int, b varchar(20) ) as ...

At least in MSSQL, you'd have to do something bad like use sp_executesql
or some other function that will re-form a complete sql query and pass
that to the interpreter. As long as you do more sensible stuff like:

        insert into table (name, age) values (@b, @a)

you should be fine.

Michael Scovetta
Computer Associates
Senior Application Developer

References:
- RE: Paper: SQL Injection Attacks by Example
  - From: Scovetta, Michael V

Prev by Date: RE: Paper: SQL Injection Attacks by Example
Next by Date: Re: Paper: SQL Injection Attacks by Example
Previous by thread: RE: Paper: SQL Injection Attacks by Example
Next by thread: Re: Paper: SQL Injection Attacks by Example
Index(es):
- Date
- Thread