B
Bã§TãRÐ
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I
just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to
test the security of the site with Cross-Site Scripting and SQL injection. Because SP's are used in pretty much every aspect of the site, the site isnt vunerable to the simple Injection stuff like '
OR 1 = 1 . Instead I've had to try several things which I will get to in a minute. As I have access to all of these SP's and the dB in which they reside, I could easly look at the code and determine
what variables are neede to pass in. I've been trying to break the site to give up a database name so I can proceed to check the system tables etc etc - much like a regular hacker would (meaning not
cheating by looking at the code). So, I've started my attack by downloading a local version of the login page, changing a few variables and injected somthing like:
'SELECT * FROM INFORMATION_SCHEMA.TABLES
Initially, the statement is passed into the form fields and wont return anything other than a JS popup error. I altered the statement intentionally to break the page
SELECT * FROM INFORMATION_SCHEMA.TA'
and it produces an error giving me the name of the query and its location
when I plug the name of the query in the url i.e http://theurl.com/query_folder/query_name/ it fires me off to another folder containing an include file of some sort.
When I run that include it gives me the name of a pretty important variable. Apparetly its a variable that determins what dB I should point to.
Now, one of the issues I have is that everything is a stored procedure so trying to hack it is a little more difficult. But because I have the SP name and one of the variables its needs (found through
lots of testing) I've been trying to construct something that will throw an error to produce a dB or table name. The attack looks something like this:
'SET @var2Exec = 'DECLARE @var1 VARCHAR(2000); DECLARE @var2 INT SET @var1 = ''SELECT * FROM INFORMATION_SCHEMA.TABLES'' SET @var2 = 12345 ; EXEC(@var1)'
'EXEC(@var2Exec)'
I will always return an error saying that @var2 is of the wrong type etc. Essentially this means that I am passing in 2 variables to a SP that requires more than 2. So my question is, does anyone know
of a way to exploit the nature of Stored Procedures? It can be done, but my knowledge of SQL Injection is pretty limited but was wondering if anyone tests their own sites in this manner. Any
suggestions would be greatly appreciated.
just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to
test the security of the site with Cross-Site Scripting and SQL injection. Because SP's are used in pretty much every aspect of the site, the site isnt vunerable to the simple Injection stuff like '
OR 1 = 1 . Instead I've had to try several things which I will get to in a minute. As I have access to all of these SP's and the dB in which they reside, I could easly look at the code and determine
what variables are neede to pass in. I've been trying to break the site to give up a database name so I can proceed to check the system tables etc etc - much like a regular hacker would (meaning not
cheating by looking at the code). So, I've started my attack by downloading a local version of the login page, changing a few variables and injected somthing like:
'SELECT * FROM INFORMATION_SCHEMA.TABLES
Initially, the statement is passed into the form fields and wont return anything other than a JS popup error. I altered the statement intentionally to break the page
SELECT * FROM INFORMATION_SCHEMA.TA'
and it produces an error giving me the name of the query and its location
when I plug the name of the query in the url i.e http://theurl.com/query_folder/query_name/ it fires me off to another folder containing an include file of some sort.
When I run that include it gives me the name of a pretty important variable. Apparetly its a variable that determins what dB I should point to.
Now, one of the issues I have is that everything is a stored procedure so trying to hack it is a little more difficult. But because I have the SP name and one of the variables its needs (found through
lots of testing) I've been trying to construct something that will throw an error to produce a dB or table name. The attack looks something like this:
'SET @var2Exec = 'DECLARE @var1 VARCHAR(2000); DECLARE @var2 INT SET @var1 = ''SELECT * FROM INFORMATION_SCHEMA.TABLES'' SET @var2 = 12345 ; EXEC(@var1)'
'EXEC(@var2Exec)'
I will always return an error saying that @var2 is of the wrong type etc. Essentially this means that I am passing in 2 variables to a SP that requires more than 2. So my question is, does anyone know
of a way to exploit the nature of Stored Procedures? It can be done, but my knowledge of SQL Injection is pretty limited but was wondering if anyone tests their own sites in this manner. Any
suggestions would be greatly appreciated.