RE: Paper: SQL Injection Attacks by Example

To: Michael.Scovetta@xxxxxx, davidl@xxxxxxxxxxxxxxx, steve@xxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Paper: SQL Injection Attacks by Example
From: Michael Silk <michaelsilk@xxxxxxxxx>
Date: Thu, 6 Jan 2005 08:44:06 +1100
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=PpfXCEQ6Db2M7um/vaw7PDccYx448mKq0OXKKIR7XmYy3YCHB6tA0FntYCpS9C0pfYAa72i/hZvQMUvSgXFlMCkVuKPYgicwHQAFaCNyHerehY3GZxfuJRaTwtGHqf+eGxicb0PO2gxeEWzpQOr5atap8DXZfsu0O2x6nUfLbK8=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Michael Silk <michaelsilk@xxxxxxxxx>

 Michael,

 But that doesn't really matter - you'd attempt to execute your
malicious code at the level where the procedure is executed, not
inside of it.

 I.e. the code could be:
 sql = " exec spSuperSecure " + one + ", " + two;

 We aren't really interested in "spSuperSecure" and it's typed
parameters, you just append your new malicious query on the end of it.

 Although it does depend a bit on the type of  sql injection you are
trying to perform ... you can't add on a " or 1 = 1" on a
password-matching procedure.

-- Michael

> -----Original Message-----
> From: Scovetta, Michael V [mailto:Michael.Scovetta@xxxxxx] 
> Sent: Thursday, 6 January 2005 7:11 AM
> To: David Litchfield; Steve Friedl; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Paper: SQL Injection Attacks by Example
> 
> David,
> 
> Actually, to nitpick your comment a bit, stored procedures 
> usually have typed input variables:
> 
>       create procedure foo ( a int, b varchar(20) ) as ...
> 
> At least in MSSQL, you'd have to do something bad like use 
> sp_executesql or some other function that will re-form a 
> complete sql query and pass that to the interpreter. As long 
> as you do more sensible stuff like:
> 
>       insert into table (name, age) values (@b, @a)
> 
> you should be fine.
> 
> Michael Scovetta
> Computer Associates
> Senior Application Developer
> 
> -----Original Message-----
> From: David Litchfield [mailto:davidl@xxxxxxxxxxxxxxx]
> Sent: Wednesday, January 05, 2005 2:20 PM
> To: 'Steve Friedl'; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Paper: SQL Injection Attacks by Example
> 
> Hi Steve,
> Nice paper. However, one small nitpick - under "Mitigations" 
> you list using stored procedures if the database supports 
> them. I've seen other people suggest this as a defensive 
> strategy as well.
> 
> Using stored procedures will *not* protect you from SQL 
> injection attacks.
> Firstly, they can be injected into just as easily as a select 
> statement.
> Secondly, the procedure itself can be vulnerable to SQL 
> injection. I have seen for example, procs that use double 
> quotes internally and single quotes on input.
> 
> That said, stored procedures are generally faster so it's 
> better to use them for performance reasons, anyway.
> 
> Cheers,
> David Litchfield

Prev by Date: RE: Paper: SQL Injection Attacks by Example
Next by Date: [ GLSA 200501-05 ] mit-krb5: Heap overflow in libkadm5srv
Previous by thread: RE: Paper: SQL Injection Attacks by Example
Next by thread: RE: Paper: SQL Injection Attacks by Example
Index(es):
- Date
- Thread