July 29, 2011 at 1:57 pm
SELECT *
FROM companies
where ID=1update companies set name='wwww'
how does it work ? its even wrong. there's even no character after "ID=1". it even works in enterprise manager. even passes the syntax check.
if sqlserver converts something to integer then why 1update 's number equivalent is 1, actually why it selects the number part? why it continues to interpret commands ?
this is how my friend's web site hacked. they wrote that command on url. I know how they did it, but this is not the issue of this forum.
So friends, tell me why sqlserver works that way and as long as everyone knows it, why they dont fix it ?
thanks.
July 29, 2011 at 2:10 pm
Since SQL identifiers have to start with a letter SQL knows that the "1" can't be the start of a column name and as such has to be a number. Therefore it knows that the "u" is separate from the "1" and starts parsing it differently which ends up as a new command. Likewise, SQL will interpret this fine and not error but return 0 rows:
SELECT *
FROM Person.Contact
where contact.ContactID=1and Contact.FirstName='wwww'
The reason your friend's site got hacked probably doesn't have anything to do with this functionality. Even without it I'm betting that there's another way the same vulnerability could have been taken advantage of.
July 29, 2011 at 2:17 pm
aykut canturk (7/29/2011)
...tell me why sqlserver works that way and as long as everyone knows it, why they dont fix it ?
It works that way by design.
Can't fix what is not broken 🙂
_____________________________________
Pablo (Paul) Berzukov
Author of Understanding Database Administration available at Amazon and other bookstores.
Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.July 29, 2011 at 2:28 pm
aykut canturk (7/29/2011)
this is how my friend's web site hacked. they wrote that command on url. I know how they did it, but this is not the issue of this forum.
My guess is your friend's site has a SQL Injection vulnerability and the hackers were just a little lazy. Even if SQL didn't allow this, the hacker could have just put a ; between the statements.
Fix the SQL Injection vulnerability, this particular parsing shortcut is not a vulnerability, there must have been a way to add the second statement, that's the vulnerability.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply