========================================== = Malformed SQL query = =----------------------------------------= = Author: Gabriel A. Maggiotti = =----------------------------------------= = Email: gmaggiotat_private = =----------------------------------------= = Webpage: http://qb0x.net = ========================================== The goal of this type of vulnerability is modifying the original SQL query. Supposing that a dynamic webpage runs a query in a database server and trying to imagine the query structure, it's possible to modify the same query with the goal of injecting a malformed one. The following examples were proven with this architecture: - Intel 686 - Apache/1.3.14(Unix) - PHP/4.0.2 - perl v5.6.0 - Mysql 3.23.25 - Probably works in other architectures. A common query: (1) SELECT * from table WHERE id=$id where $id is a variable that the web progammer use to perform the query. This implies that the variable is potentially revalueable (if is not checked before using it). We could inject some malicious query in this way: http://www.host.com/file?id="malicious_code" Mysql( I don't know if it is a SQL standard), allows to make this type of query: SELECT * FROM table INTO outfile '/tmp/file.txt'; This query writes the output of "SELECT * FROM table" into "/tmp/file.txt". Depending on the server permissions, the reach of this vulnerability. In mysql case, it doesn't rewrite files. Injecting the malicious query(1): - For webserver Apache with cgi's in perl( but works for others ) http://www.host.com/file?id=121%20into%20outfile%20'/tmp/file.txt' Where "%20" is the hexa of the blank character. Good!!!, with this one you are able to write in "/tmp/file.txt", but the content is the result of the original query. It's at this point where is up to your imagination to create a useful query. :)) Also is posible to read any file, making a query and dumping the result to a table. (2) LOAD DATA INFILE "/etc/passwd" INTO TABLE table; This query keeps in the table "table" the content from passwd, depending on the permissions of mysql daemon. If I choose the table correctly: CREATE TABLE table( txt text ); I could inject the malicious query in this way: http://www.host.com/file?id=121%20load%20data%20in%20file%20'/root/passwd' .... Currently, I'm writing more about this kind of vulnerabilities
This archive was generated by hypermail 2b30 : Sat Dec 29 2001 - 18:12:15 PST