It is assumed that the cast user data to a numeric type is fully protected from SQL injection vulnerabilities.
Look at simple example:
This code looks like SQLi protected, but it is not true.
Do not forget two obvious facts:
1. Minus is SQL operatator
2. Numbers can be negative
Now its easy to understand SQL logic in this case (w/o injection):
And SQL injection attack vector in this case:
In our example attacker can bypass auth.
This example requires tables role and role0 both in database.
Look at simple example:
$action = $_GET['do']; $r=$db->query("select role".((int)$action)." from users where id=".((int)$_SESSION['user_id'])); if($row=$r->fetchArray()){ if((int)$row[0]!==1){ die('permission denied'); }else{ doAction($action); } }
This code looks like SQLi protected, but it is not true.
Do not forget two obvious facts:
1. Minus is SQL operatator
2. Numbers can be negative
Now its easy to understand SQL logic in this case (w/o injection):
select role0 from users where id=0
And SQL injection attack vector in this case:
select role-1 from users where id=0
In our example attacker can bypass auth.
This example requires tables role and role0 both in database.
Should the last sentence say "columns role and role0 both in the table users"?
ОтветитьУдалить> describe us;
ОтветитьУдалить+-------+------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+------+------+-----+---------+-------+
| role0 | text | YES | | NULL | |
| role1 | text | YES | | NULL | |
| role | text | YES | | NULL | |
+-------+------+------+-----+---------+-------+
3 rows in set (0.04 sec)
> select role-1 from us;
+--------+
| role-1 |
+--------+
| -1 |
+--------+
1 row in set (0.00 sec)
array list
0 => key
0 => value (-1)
$me=mysql_query("SELECT role-1 FROM us");
$f=mysql_fetch_array($me);
echo $f[0]; //output -1
var_dump(-1!==1); //true
dude failed
in the second case
snip___
MariaDB [data]> select role+1 from us;
+--------+
| role+1 |
+--------+
| 1 |
+--------+
Этот комментарий был удален автором.
УдалитьЭтот комментарий был удален автором.
Удалитьhttp://pastebin.com/SLGw3ECU
ОтветитьУдалитьFor Numeric type of columns role, role0...roleN of course :)
ОтветитьУдалитьThe article fail vector
ОтветитьУдалитьBut I wrote about it, see 8)
What if just manually change the stupid value? I mean inline URL editing. In that case this isn't new. Not easy to exploit
ОтветитьУдалитьI think author want to show that u can't use critical values from frontend. I wouldn't use roles at least.
Can't understand your post. This vector works well.
ОтветитьУдалитьAnd text columns obviously not about this.
Just about minus as a SQL operator. Types of database columns which can be operated through minus depends from DB type. Test SQLite, for example.
Этот комментарий был удален автором.
ОтветитьУдалитьYour text can be considered a case of
ОтветитьУдалитьMariaDB [data]> select role from us;
+------+
| role |
+------+
| 2 | => me row output 2
+------+
1 row in set (0.00 sec)
===============================
auth bypassvector
MariaDB [data]> select role-1 from us;
+--------+
| role-1 |
+--------+
| 1 |
+--------+
1 row in set (0.00 sec)
output row => 1
and bypass :)
Этот комментарий был удален автором.
ОтветитьУдалитьI have created another example from this issue in #0x3004CTF. Check it:
ОтветитьУдалитьhttp://pastebin.com/JpKVpC2m :)
While enormous changes and difficulties are currently confronting the web based loaning industry in the UK, it truly pays to have a prepared installments supplier that can direct you through the procedure and exhort the prescribed procedures with the goal that you are not running astray of the administrative structure.
ОтветитьУдалитьPayday Loans
It took a while yet I figured out how to do it. The primary spot I had went however, continued running the check through the credit union I was an individual from.
ОтветитьУдалитьCash Advance
A few understandings will take into account intrigue just regularly scheduled installments, yet it is insightful to make installments towards the important consistently to stay away from a huge inflatable installment toward the finish of the term or face the likelihood of losing your auto title. Credits like this can maneuver you into an obligation trap.
ОтветитьУдалитьAuto Title Loans
Otherwise called a transient advance, loan, quick money, money advance, awful credit advance or conceded store, a payday advance is an unsecured advance, as a rule for a little sum that is planned to be an impermanent answer for meet your budgetary needs until your next payday.
ОтветитьУдалитьCheck Cashing Chula-vista
When you are coordinated with a bank, you might be a required to electronically sign and consent to the terms of the credit.
ОтветитьУдалитьCheck Cashing Corona