Post reply

SQL injection

  • April 16, 2008 at 1:02 am

    #91812

    Oh my. There's SQL injection, then there's this.

    http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

  • April 16, 2008 at 6:47 am

    #803048

    Holy crap! That is some seriously heinous code. Makes you wonder what the database looks like doesn't it?

    :sick:

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • April 16, 2008 at 10:00 am

    #803194

    This is amazing, isn't it? What still stuns me is how many people always attend SQL Injection seminars at PASS and other events still and are surprised by Injection vulnerabilities.

  • April 16, 2008 at 10:53 am

    #803212

    Well, you can't really call it SQL "Injection" since they were actually trying to execute raw URL text as SQL. More like "SQL Suction".

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.     [/font]    [font="Verdana"] "Performance is our middle name."[/font]

  • April 16, 2008 at 11:13 am

    #803222

    rbarryyoung (4/16/2008)

    Well, you can't really call it SQL "Injection" since they were actually trying to execute raw URL text as SQL. More like "SQL Suction".

    Agreed - it's kind of like the difference between "paper cut" and "gaping chest wound".

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • April 17, 2008 at 12:28 am

    #803475

    I don't think I want to know what the DB looks like. I do wonder what account the web site was accessing the DB with.

    Drop database .... ?

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

  • April 17, 2008 at 5:54 am

    #803604

    And how much do you want to bet that they don't have a tested backup in place either... I wish I didn't hate travel so much. I can see why consultants make so much money.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • April 17, 2008 at 7:03 am

    #803674

    GilaMonster (4/17/2008)

    I don't think I want to know what the DB looks like. I do wonder what account the web site was accessing the DB with.

    Drop database .... ?

    Had they not patched the flaw, I'm sure you could have run the SQL statements necessary to see the whole schema. The account running them was probably SA.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply