From: suntzu123@gmail.com
Date: Fri Dec 16 2005 - 21:23:25 EST
recently we came across a client engagement related to client's web site. During the assessment, it turned out that a PHP search page was possibly
vulnerable to an sql injection, given that if we feed the search field of the page with the following classic input "hi' or 1=1" (without quotes), it returns the
SQL query of the underlying PHP page (the user input goes between the %% pair in the LIKE clause):
SELECT ID, NAME, CLUB_CATEGORY_ID, ADDRESS, DRINK_PRICE, AREA_ID, PHONES, ARTISTS FROM CLUB WHERE ACTIVE = 1 AND NAME
LIKE '%hi' or 1=1%' AND ID >0 ORDER BY NAME
The issue is that, when I tried to feed with a statement such as "' UNION SELECT username FROM USERS WHERE username like '%' --" (without the
double quotes, and focusing to get a list of user names commenting out the rest of the query), we ended up in the following error:
Error during SQL execution
SELECT ID, NAME, CLUB_CATEGORY_ID, ADDRESS, DRINK_PRICE, AREA_ID, PHONES, ARTISTS FROM CLUB WHERE ACTIVE = 1 AND NAME
LIKE '%' UNION SELECT username FROM USERS WHERE username like '%' --
Given that the assumption that MySQL is running behind this PHP page, we failed to get the usernames from the MySQL system table "users"; the
obvious result from this output is that the comments did not work as intended.
Have you ever faced such a situation ? Reading the documentation of all major databases (MS SQL, Oracle, MySQL, Informix, Ingres, Postgres, etc) it
turns out that all of these databases should implement the univeral "--" commenting mechanism in their SQL queries.
What am I missing here ??
Thanks in advance for your help,
st
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:16 EDT