понедельник, 13 мая 2013 г.

When Integer cannot protect you from SQL injection?

It is assumed that the cast user data to a numeric type is fully protected from SQL injection vulnerabilities.

Look at simple example:

$action = $_GET['do'];
$r=$db->query("select role".((int)$action)." from users where id=".((int)$_SESSION['user_id']));
if($row=$r->fetchArray()){
        if((int)$row[0]!==1){
                die('permission denied');
        }else{
                doAction($action);
        }
}


This code looks like SQLi protected, but it is not true.

Do not forget two obvious facts:
1. Minus is SQL operatator
2. Numbers can be negative

Now its easy to understand SQL logic in this case (w/o injection):

select role0 from users where id=0

And SQL injection attack vector in this case:

select role-1 from users where id=0


In our example attacker can bypass auth.
This example requires tables role and role0 both in database.

35 комментариев:

  1. Should the last sentence say "columns role and role0 both in the table users"?

    ОтветитьУдалить
  2. > describe us;
    +-------+------+------+-----+---------+-------+
    | Field | Type | Null | Key | Default | Extra |
    +-------+------+------+-----+---------+-------+
    | role0 | text | YES | | NULL | |
    | role1 | text | YES | | NULL | |
    | role | text | YES | | NULL | |
    +-------+------+------+-----+---------+-------+
    3 rows in set (0.04 sec)

    > select role-1 from us;
    +--------+
    | role-1 |
    +--------+
    | -1 |
    +--------+
    1 row in set (0.00 sec)


    array list
    0 => key
    0 => value (-1)

    $me=mysql_query("SELECT role-1 FROM us");
    $f=mysql_fetch_array($me);

    echo $f[0]; //output -1

    var_dump(-1!==1); //true

    dude failed


    in the second case



    snip___
    MariaDB [data]> select role+1 from us;
    +--------+
    | role+1 |
    +--------+
    | 1 |
    +--------+

    ОтветитьУдалить
    Ответы
    1. Этот комментарий был удален автором.

      Удалить
    2. Этот комментарий был удален автором.

      Удалить
  3. For Numeric type of columns role, role0...roleN of course :)

    ОтветитьУдалить
  4. The article fail vector
    But I wrote about it, see 8)

    ОтветитьУдалить
  5. What if just manually change the stupid value? I mean inline URL editing. In that case this isn't new. Not easy to exploit

    I think author want to show that u can't use critical values from frontend. I wouldn't use roles at least.

    ОтветитьУдалить
  6. Can't understand your post. This vector works well.

    And text columns obviously not about this.

    Just about minus as a SQL operator. Types of database columns which can be operated through minus depends from DB type. Test SQLite, for example.

    ОтветитьУдалить
  7. Этот комментарий был удален автором.

    ОтветитьУдалить
  8. Your text can be considered a case of

    MariaDB [data]> select role from us;
    +------+
    | role |
    +------+
    | 2 | => me row output 2
    +------+
    1 row in set (0.00 sec)


    ===============================


    auth bypassvector

    MariaDB [data]> select role-1 from us;
    +--------+
    | role-1 |
    +--------+
    | 1 |
    +--------+
    1 row in set (0.00 sec)


    output row => 1
    and bypass :)

    ОтветитьУдалить
  9. Этот комментарий был удален автором.

    ОтветитьУдалить
  10. I have created another example from this issue in #0x3004CTF. Check it:
    http://pastebin.com/JpKVpC2m :)

    ОтветитьУдалить
  11. Анонимный29 июля 2017 г., 21:30

    While enormous changes and difficulties are currently confronting the web based loaning industry in the UK, it truly pays to have a prepared installments supplier that can direct you through the procedure and exhort the prescribed procedures with the goal that you are not running astray of the administrative structure.
    Payday Loans

    ОтветитьУдалить
  12. Анонимный30 июля 2017 г., 08:52

    It took a while yet I figured out how to do it. The primary spot I had went however, continued running the check through the credit union I was an individual from.
    Cash Advance

    ОтветитьУдалить
  13. A few understandings will take into account intrigue just regularly scheduled installments, yet it is insightful to make installments towards the important consistently to stay away from a huge inflatable installment toward the finish of the term or face the likelihood of losing your auto title. Credits like this can maneuver you into an obligation trap.
    Auto Title Loans

    ОтветитьУдалить
  14. Otherwise called a transient advance, loan, quick money, money advance, awful credit advance or conceded store, a payday advance is an unsecured advance, as a rule for a little sum that is planned to be an impermanent answer for meet your budgetary needs until your next payday.
    Check Cashing Chula-vista

    ОтветитьУдалить
  15. When you are coordinated with a bank, you might be a required to electronically sign and consent to the terms of the credit.
    Check Cashing Corona

    ОтветитьУдалить
  16. دانلود سریال موچین
    https://www.aparat.com/v/4X2te/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF_%D8%B3%D8%B1%DB%8C%D8%A7%D9%84_%D9%85%D9%88%DA%86%DB%8C%D9%86_%D8%A2%D9%BE%D8%A7%D8%B1%D8%A7%D8%AA_%D8%AA%D9%85%D8%A7%D9%85_%D9%82%D8%B3%D9%85%D8%AA%D9%87%D8%A7_%7C_%D9%82%D8%B3%D9%85%D8%AA_%D8%A7%D9%88%D9%84_%D8%AA%D8%A7

    ОтветитьУдалить
  17. دانلود سریال موچین
    https://www.dalfak.com/w/k1rov1/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF-%D8%B3%D8%B1%DB%8C%D8%A7%D9%84-%D9%85%D9%88%DA%86%DB%8C%D9%86-%D9%82%D8%B3%D9%85%D8%AA-%D8%A7%D9%88%D9%84-1-%D8%B3%D8%B1%DB%8C%D8%A7%D9%84-%D9%85%D9%88%DA%86%DB%8C%D9%86-%DA%A9%D9%84-%D9%82%D8%B3%D9%85%D8%AA%D9%87%D8%A7

    ОтветитьУдалить
  18. دانلود سریال موچین
    https://mihanvideo.com/v/dNusz/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF_%D8%B3%D8%B1%DB%8C%D8%A7%D9%84_%D9%85%D9%88%DA%86%DB%8C%D9%86_%D9%82%D8%B3%D9%85%D8%AA_1_%D8%AA%D8%A7_13_%D9%87%D9%85%D9%87_%D9%82%D8%B3%D9%85%D8%AA%D9%87%D8%A7

    ОтветитьУдалить
  19. دانلود سریال موچین
    https://mihanvideo.com/v/dNusz/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF_%D8%B3%D8%B1%DB%8C%D8%A7%D9%84_%D9%85%D9%88%DA%86%DB%8C%D9%86_%D9%82%D8%B3%D9%85%D8%AA_1_%D8%AA%D8%A7_13_%D9%87%D9%85%D9%87_%D9%82%D8%B3%D9%85%D8%AA%D9%87%D8%A7

    ОтветитьУдалить
  20. https://www.cratoswin.com/

    Canlı bahis sitesi

    Vip casino sitesi Cratosslot

    Egt slot oyunları

    Online canlı bahis sitesi Cratossporting

    Online casino Cratosslot

    En iyi oyunlar 

    Tüm radyo frekansları için

    ОтветитьУдалить
  21. Well explained dear authors, Good thanks for considering this topic, Can you also explain about some SQL injection examples like Union attacks, examining the database, blind SQL injection etc.
    sports betting app development
    Luxury resort in Mandarmoni

    ОтветитьУдалить
  22. QuickBooks Connection Diagnostic Tool is your one stop solution for resolving errors that occurs in network connectivity, other than that it also helps in resolving errors like 6000 series errors, H series errors in QUickbooks.

    ОтветитьУдалить
  23. Someone necessarily help to make severely articles I might state. That is the first time I frequented your web page and up to now? I surprised with the analysis you made to create this actual publish extraordinary. Fantastic process 안전놀이터

    ОтветитьУдалить
  24. Dude, I am so glad that I came across this awesome article you shared on "When Integer cannot protect you from SQL injection" - you discussed the topic pretty well and I'm sure that every reader will learn a lot of things about this SQL injection attack. Anyway, are you a gamer by any chance? I want you to invite on playing this bubble witch saga 3 game - this is a casual game with an awesome gameplay and graphics that you will surely enjoy. Read more details at https://games.lol/words-with-friends-2/

    ОтветитьУдалить
  25. Thanks for your marvelous posting! I actually enjoyed reading it, you could be
    a great author.I will remember to bookmark your blog and will
    eventually come back from now on. I want to encourage you to continue your great
    writing, have a nice weekend!

    Website:카지노



    ОтветитьУдалить
  26. I like what you guys are usually up too. This kind of clever work and coverage! Keep up the very good works guys I’ve incorporated you guys to blogroll.
    바카라

    ОтветитьУдалить