| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <B49655397ECADAE1E6355B29@utd65257.utdallas.edu> Date: Fri, 06 Nov 2009 10:04:54 -0600 From: Paul Schmehl <pschmehl_lists@...rr.com> To: Vladimir Vorontsov <vladimir.vorontsov@...ec.ru>, Full disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: MySQL trick for SQL injection --On Friday, November 06, 2009 06:55:22 -0600 Vladimir Vorontsov <vladimir.vorontsov@...ec.ru> wrote: > > Good day! > > I recently encountered a problem with the implementation of SQL injection. > > I wanted to write a file with the code interpreter to execute commands, but > in the end always append bracket, which I thought was supposed to be a > spoiler. > > Comments at the end of the query to be filtered. The last character is > always append a closing parenthesis. Use a null-byte, too, was impossible. > > Was an injection of this type: > > $query = "select bla-bla from content_comments where user_id in (select > user_id from User where id =".removeBadChars($_GET['id']).");"; > Where removeBadChars () kills such things as: > -- > /* > but leaves /**/ > I wanted to write a script to execute commands in a file. The rows included > in the first select, but the presence of brackets before inkludom demanded > its closure after it. Besides tricky function is not allowed to finish a > comment form - or /* at the end of the query. > > As a result, very surprised, because that's such an option: > > select bla-bla from content_comments where user_id in (select user_id from > User where id = 1/**/into/**/outfile/**/"/var/www/avatars/img.php") > > recorded in the file the result of EXTERNAL select!. > > Checked in > MySQL 4.1.22 > MySQL 5.1.x > What privileges did the user who performed the select have? INTO OUTFILE is a dangerous routine (as you've clearly demonstrated), but that privilege must be specifically granted to a user before it's possible to execute it. No sensible administrator would grant the FILE privilege to a webserver application's database acccount. (Usually SELECT, INSERT, and UPDATE should be enough.) OTOH, if you've found a way to execute FILE without having that privilege granted to the account, you've uncovered a serious problem. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists