September 10, 2004 at 8:13 am
I am testing the security of a .NET application that processes an incoming message into fields it inserts into a database. In one 35-byte text field, I replaced the actual context of the message with DELETE FROM (TABLENAME). The exact format I am using is ";DELETE FROM TABLENAME". I also tried with single quotes. It didn't execute the SQL.
The developers aren't including error-checking to verify the value of that field because they feel that the format of the content might change in the concievable future, and then they don't have to re-code the check.
Is there any way I can get SQL server to execute the SQL statement instead of just treating it as text and populating the database with it?
September 10, 2004 at 10:02 am
You could place the field data into a variable and then EXEC sp_executesql @field but....
IF there is no validation except to INSERT into the field WHY would there be code on your side to EXEC it???
Good Hunting!
AJ Ahrens
webmaster@kritter.net
September 10, 2004 at 10:05 am
Yes. Suffice it to say that you can imbed SQL to cause issues if the fields are not sufficiently edited and you either know how the SQL is structured (an inside job) or make enough good guesses. I just don't think that a "how to launch an attack" is a good tutorial to be posting.
September 10, 2004 at 10:05 am
My purpose is more to make sure that any SQL that gets put in there, since there is no error-checking, won't get executed and screw up the database. I guess that's the case. =)
Ty,
September 10, 2004 at 11:19 am
As a side note, you can avoid the vast majority of such attacks by replacing ' with '' (two single quotes) within any data fields just prior to concatenating it into the sequal string so long as you are using quotes around the value in your sql. For example, if the field is placed directly into the field because it is supposed to be an integer you would have to edit it to make sure that it truely is merely an integer before doing so.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply