@ONsec_Lab: When Integer cannot protect you from SQL injection?

понедельник, 13 мая 2013 г.

When Integer cannot protect you from SQL injection?

It is assumed that the cast user data to a numeric type is fully protected from SQL injection vulnerabilities.

Look at simple example:

$action = $_GET['do'];
$r=$db->query("select role".((int)$action)." from users where id=".((int)$_SESSION['user_id']));
if($row=$r->fetchArray()){
        if((int)$row[0]!==1){
                die('permission denied');
        }else{
                doAction($action);
        }
}

This code looks like SQLi protected, but it is not true.

Do not forget two obvious facts:
1. Minus is SQL operatator
2. Numbers can be negative

Now its easy to understand SQL logic in this case (w/o injection):

select role0 from users where id=0

And SQL injection attack vector in this case:

select role-1 from users where id=0

In our example attacker can bypass auth.
This example requires tables role and role0 both in database.

28 комментариев:

Weird dervish13 мая 2013 г., 14:10
Should the last sentence say "columns role and role0 both in the table users"?
ОтветитьУдалить
Ответы
blablabla13 мая 2013 г., 16:49
> describe us;
+-------+------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+------+------+-----+---------+-------+
| role0 | text | YES | | NULL | |
| role1 | text | YES | | NULL | |
| role | text | YES | | NULL | |
+-------+------+------+-----+---------+-------+
3 rows in set (0.04 sec)

> select role-1 from us;
+--------+
| role-1 |
+--------+
| -1 |
+--------+
1 row in set (0.00 sec)

array list
0 => key
0 => value (-1)

$me=mysql_query("SELECT role-1 FROM us");
$f=mysql_fetch_array($me);

echo $f[0]; //output -1

var_dump(-1!==1); //true

dude failed

in the second case

snip___
MariaDB [data]> select role+1 from us;
+--------+
| role+1 |
+--------+
| 1 |
+--------+
ОтветитьУдалить
Ответы
blablabla13 мая 2013 г., 17:19
http://pastebin.com/SLGw3ECU
ОтветитьУдалить
Ответы
Vladimir15 мая 2013 г., 05:20
For Numeric type of columns role, role0...roleN of course :)
ОтветитьУдалить
Ответы
blablabla15 мая 2013 г., 11:14
The article fail vector
But I wrote about it, see 8)
ОтветитьУдалить
Ответы
Darknessblack16 мая 2013 г., 01:40
What if just manually change the stupid value? I mean inline URL editing. In that case this isn't new. Not easy to exploit

I think author want to show that u can't use critical values from frontend. I wouldn't use roles at least.
ОтветитьУдалить
Ответы
Vladimir17 мая 2013 г., 14:09
Can't understand your post. This vector works well.

And text columns obviously not about this.

Just about minus as a SQL operator. Types of database columns which can be operated through minus depends from DB type. Test SQLite, for example.
ОтветитьУдалить
Ответы
blablabla18 мая 2013 г., 07:31
Этот комментарий был удален автором.
ОтветитьУдалить
Ответы
blablabla18 мая 2013 г., 07:45
Your text can be considered a case of

MariaDB [data]> select role from us;
+------+
| role |
+------+
| 2 | => me row output 2
+------+
1 row in set (0.00 sec)

===============================

auth bypassvector

MariaDB [data]> select role-1 from us;
+--------+
| role-1 |
+--------+
| 1 |
+--------+
1 row in set (0.00 sec)

output row => 1
and bypass :)

ОтветитьУдалить
Ответы
gamma9525 апреля 2014 г., 05:47
Этот комментарий был удален автором.
ОтветитьУдалить
Ответы
gamma9525 апреля 2014 г., 05:48
I have created another example from this issue in #0x3004CTF. Check it:
http://pastebin.com/JpKVpC2m :)
ОтветитьУдалить
Ответы
Анонимно29 июля 2017 г., 21:30
While enormous changes and difficulties are currently confronting the web based loaning industry in the UK, it truly pays to have a prepared installments supplier that can direct you through the procedure and exhort the prescribed procedures with the goal that you are not running astray of the administrative structure.
Payday Loans
ОтветитьУдалить
Ответы
Анонимно30 июля 2017 г., 08:52
It took a while yet I figured out how to do it. The primary spot I had went however, continued running the check through the credit union I was an individual from.
Cash Advance
ОтветитьУдалить
Ответы
Carruth Vallecillo31 июля 2017 г., 22:54
A few understandings will take into account intrigue just regularly scheduled installments, yet it is insightful to make installments towards the important consistently to stay away from a huge inflatable installment toward the finish of the term or face the likelihood of losing your auto title. Credits like this can maneuver you into an obligation trap.
Auto Title Loans
ОтветитьУдалить
Ответы
Carruth Vallecillo1 августа 2017 г., 22:05
Otherwise called a transient advance, loan, quick money, money advance, awful credit advance or conceded store, a payday advance is an unsecured advance, as a rule for a little sum that is planned to be an impermanent answer for meet your budgetary needs until your next payday.
Check Cashing Chula-vista
ОтветитьУдалить
Ответы
Carruth Vallecillo2 августа 2017 г., 09:50
When you are coordinated with a bank, you might be a required to electronically sign and consent to the terms of the credit.
Check Cashing Corona
ОтветитьУдалить
Ответы
amc stars12 января 2020 г., 23:19
Thank you good luck
عکس پروفایل عکس پروفایل عکس پروفایل عکس پروفایل عکس پروفایل
ОтветитьУдалить
Ответы
salma23 марта 2020 г., 11:58

تنظيف بمكة رقم شركة تنظيف بمكة بالبخار
نقل عفش بالدمام

نقل عفش من الدمام الى الرياض
غسيل خزانات بالدمام

ОтветитьУдалить
Ответы
amc stars19 апреля 2020 г., 14:59
دانلود سریال موچین
https://www.aparat.com/v/4X2te/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF_%D8%B3%D8%B1%DB%8C%D8%A7%D9%84_%D9%85%D9%88%DA%86%DB%8C%D9%86_%D8%A2%D9%BE%D8%A7%D8%B1%D8%A7%D8%AA_%D8%AA%D9%85%D8%A7%D9%85_%D9%82%D8%B3%D9%85%D8%AA%D9%87%D8%A7_%7C_%D9%82%D8%B3%D9%85%D8%AA_%D8%A7%D9%88%D9%84_%D8%AA%D8%A7
ОтветитьУдалить
Ответы
amc stars19 апреля 2020 г., 15:00
دانلود سریال موچین
https://www.dalfak.com/w/k1rov1/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF-%D8%B3%D8%B1%DB%8C%D8%A7%D9%84-%D9%85%D9%88%DA%86%DB%8C%D9%86-%D9%82%D8%B3%D9%85%D8%AA-%D8%A7%D9%88%D9%84-1-%D8%B3%D8%B1%DB%8C%D8%A7%D9%84-%D9%85%D9%88%DA%86%DB%8C%D9%86-%DA%A9%D9%84-%D9%82%D8%B3%D9%85%D8%AA%D9%87%D8%A7
ОтветитьУдалить
Ответы
amc stars19 апреля 2020 г., 15:02
دانلود سریال موچین
https://mihanvideo.com/v/dNusz/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF_%D8%B3%D8%B1%DB%8C%D8%A7%D9%84_%D9%85%D9%88%DA%86%DB%8C%D9%86_%D9%82%D8%B3%D9%85%D8%AA_1_%D8%AA%D8%A7_13_%D9%87%D9%85%D9%87_%D9%82%D8%B3%D9%85%D8%AA%D9%87%D8%A7
ОтветитьУдалить
Ответы
amc stars19 апреля 2020 г., 15:02
دانلود سریال موچین
https://mihanvideo.com/v/dNusz/%D8%AF%D8%A7%D9%86%D9%84%D9%88%D8%AF_%D8%B3%D8%B1%DB%8C%D8%A7%D9%84_%D9%85%D9%88%DA%86%DB%8C%D9%86_%D9%82%D8%B3%D9%85%D8%AA_1_%D8%AA%D8%A7_13_%D9%87%D9%85%D9%87_%D9%82%D8%B3%D9%85%D8%AA%D9%87%D8%A7
ОтветитьУдалить
Ответы
amc stars1 июня 2020 г., 12:28
روش تحقیق در علوم رفتاری زهره سرمد
دانلود رایگان کتاب روش تحقیق در علوم رفتاری زهره سرمد
خرید کتاب روش تحقیق در علوم رفتاری زهره سرمد
دانلود pdf کتاب روش تحقیق در علوم رفتاری زهره سرمد
دانلود کتاب روش تحقیق در علوم رفتاری زهره سرمد
کتاب روش تحقیق در علوم رفتاری زهره سرمد
دانلود کتاب روش های تحقیق در علوم رفتاری زهره سرمد
خلاصه کتاب روش های تحقیق در علوم رفتاری زهره سرمد
خلاصه کتاب روش تحقیق در علوم رفتاری زهره سرمد
روش تحقیق در علوم رفتاری- زهره سرمد و عباس بازرگان
نمونه سوالات روش تحقیق در علوم رفتاری سرمد
http://www.codetools.ir/behavioral-sciences-research.html
ОтветитьУдалить
Ответы
ahmet altan2 августа 2020 г., 15:12
https://www.cratoswin.com/

Canlı bahis sitesi

Vip casino sitesi Cratosslot

Egt slot oyunları

Online canlı bahis sitesi Cratossporting

Online casino Cratosslot

En iyi oyunlar

Tüm radyo frekansları için
ОтветитьУдалить
Ответы
amc stars27 сентября 2020 г., 06:16
I was able to find good info from your articles. http://webcity.ir
http://webcity.ir ابزار وبلاگ
ОтветитьУдалить
Ответы
amc stars16 октября 2020 г., 01:08
دانلود کتاب صوتی قدرت عادت دانلود کتاب صوتی قدرت عادت
دانلود کتاب صوتی قدرت عادت دانلود کتاب صوتی قدرت عادت
ОтветитьУдалить
Ответы

Добавить комментарий

Подписаться на: Комментарии к сообщению (Atom)