|
Posted by Andy Hassall on 12/21/05 16:21
On 21 Dec 2005 01:03:30 -0800, "pantagruel" <rasmussen.bryan@gmail.com> wrote:
>Hi, I'm worried that one of our online applications is exposed to a
>possible SQL injection attack. I don't have the code for the
>application as it is developed by a third party but the request:
>
>my.php?x='1+1'
OK, bear in mind that "+" in URLs means a space.
>returns the error
>
>Database error: Invalid SQL: SELECT x_id, x_type FROM object WHERE
>x_serial = ''1 1''
>MySQL Error: 1064 (You have an error in your SQL syntax. Check the
>manual that corresponds to your MySQL server version for the right
>syntax to use near '1 1''' at line 1)
>Session halted.
You can see that the value has gone directly into the SQL statement,
surrounded by single quotes. The "+" was replaced by a space because of the way
spaces in URLs are encoded.
>Now looking at that it seems not to be open to an SQL injection because
>the x querystring parameter was cleansed before being passed to
>x_serial, at least that is my interpretation.
My interpretation is that no cleansing has taken place at all.
>does this seem reasonable? Other than that I am of course somewhat
>annoyed at the application spitting out sql code in its error report.
>
>Is there anything I should try to pass as a parameter that will tell me
>for sure if it is allowing SQL injection. The database, which I found
>out from another error code on another page, is MySql.
Something like:
my.php?x='+or+'x'%3d'x
That should produce the query:
SELECT x_id, x_type FROM object WHERE x_serial = '' or 'x'='x'
Which instead of fetching row(s) matching the value of x_serial passed,
instead will return all data.
--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
[Back to original message]
|