SQL Injection first try - MySQL and Perl

From: Simon Waters (Simon@wretched.demon.co.uk)
Date: Fri Dec 19 2003 - 19:47:53 EST


Not a Pen-Test but software review.....

it does (roughly)...

$var1=$form{'varname'}; # where form is a hash of values from a POST, no
sanitisation performed.

->do("Insert into tablename values ( 'stuff..','stuff','$var1');");

I bashed the following into the form;

'); insert into table2 values (1,'fred','stuff

Expecting it to close the last "'", and bracket, and semicolon.
Variations ending

'); //

Showed no more joy. And other variations....

They all barf "SQL syntax error" , and something about
"connection-reduction" (which Google seems to think is something else
entirely).

I'm not clear if there is something in MySQL, or Perl DBI (all from
Redhat 9 RPM's BTW), that is deliberately stamping on my naive attempts
at SQL injection.

That it is giving 'SQL syntax error' makes me think SQL injection is
possible, and it looks like a classic mistake to me. Also the
application does a lot of "prepare" SQL queries but substitutes
variables in the "prepare" rather than using placeholders, I assume
these are also vulnerable but probably exploiting them is harder?

Mainly I just want to demonstrate SQL injection against the code (if it
is possible), as someone has to be convinced to spend time, effort and
money cleaning up what is functionality-wise a good application, with
some naive coding in places.

Is there a list of SQL injections that have worked against such stuff,
as I'm sure most of it is about how to quote or encode special characters.

Guess it is the difference between believing it is "iffy", and proving it.





This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT