June 11th, 2002, 05:45 PM
DB driven Site? - SQLxploit white paper
if any of you have a database driven site using asp, php or cfm or anything else...you should ...maybe even must... have a look at this white paper i found...
it is a very good read on advanced sql injection which is a huge security issue for many sites and needs to be attended to...or you will lose control of your your tables...or lose all you data....
as you will see...it's as easy as this entry in any form field....
jo'; drop table authors--
and say goodbye to you authors table....
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
June 11th, 2002, 05:58 PM
This is great reading! Since more and more web sites are becoming database driven, I have noticed more and more canned scripts to make this happen are cropping up all over the place. This paper goes to show that a little help goes a long way for somebody worried about site break in's. Thanks for the post...
**digs in his big bag o' greenies**
June 11th, 2002, 07:02 PM
God, I'm only halfway, and I'm wondering how many sites will be affected by this. Good find zigar!
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
June 11th, 2002, 07:36 PM
This dates back to 1998. Take a look at the following two articles on wiretrip by .rain.forest.puppy.:
"How I hacked PacketStorm" (wwwthreads advisory)
NT Web Technology Vulnerabilities
Also I mentioned sql piggy-backing in my tutorial:
Securing an installation of IIS 4. (No, seriously)
That said - good post. Not enough people know. There's nothing you can do about this but ensure that any code you write checks user input properly. Write your checking mechanism as a class and re-use it everywhere you accept user input. Like I say in the tutorial you should automatically dissallow any user input that contains a ';' character (used to close a line in SQL and an easy way to add a new, unintended, one).
If anyone's interested I have the details of a penetration test that I set up using this exploit (I will not post this openly however for obvious reasons - maybe in the addicts forum when I am allowed in - If a senior wants to post my research there on my behalf PM me). I never used the passwords/cc# I gathered, but take it from me that this is a _SERIOUS_ threat.
\"I may not agree with what you say, but I will defend to the death your right to say it.\"
Sir Winston Churchill.