-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-= -= SQL Interjection Attack =- -= By Fiend =- -= all.rice@slcstreetracing.com =- -= http://www.2600slc.org =- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Basic Information: It is assumed that the reader is familiar with the concept of dynamic driven websites and speficially with server-side languages that deliver content from a datebase. A slight knowledge of SQL and how database interact with the server is helpful. A deep understanding isn't required for this document. Test Enviorment: Server: Apache/1.3.22 (Darwin) PHP/4.0.6 mod_ssl/2.8.5 OpenSSL/0.9.6b Database: MySQL 3.23.36 Premise: Dynamicaly direven website can be open to attack by not validating the commands they send to thier database. Main: Many websites populate their pages with dynamic content from database and use this to fill in html templets. (examples: google.com, slashdot.org) This is very helpful for search engines and news site but also can leave security holes. A webpage will ask a database for certain content through a server side program (perl/cgi, php, coldfusion, asp). It is how this server side program handles the interaction that can cause the problem. If a website wants to grab all of tthe information from a table (my_table)in a database using a command similar to "SELECT * FROM my_table;". This will return all of the records in my_table. Often sites will store sensitive information about users/customers in their database in another table (customers) and use a different SQL command to only get that users content, "SELECT user_name, password,e-mail FROM customers WHERE user_name LIKE AND password LIKE ;" This is comparing database records that use variables from an html login form. The problem appears when a webpage stores the SQL command in a common variable name ($SQL) and doesn't validate the command before sending it to the database. Example: login.php?user=bob&pass=**** Regular url. login.php?user=bob&pass=****&sql=SELECT * FROM customers The sql command can be overloaded with the url. This command will cause the sql server to select all of the records about all of the customers and display them on the website, giving you private information about the users. login.php?sql=drop%20table%20customers This command will completely drop the table and make them restore it from backup, this can be very usefull if you already know a users old password or the default password Conclusion: This is very fun but also damaging and illegal, although you are simply asking the webpage for information and it gives out the sensitive information to you. You can be cought and convicted of being the little terrorist* you are! *Thanks to the PATRIOT act for considering geeks the same as terrorist and silecing scientist with the DMCA, that'll really make us safer. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=- © 2600SLC.ORG 2002 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-