0

Just recently our client got their site tested by the penetration tests company and in report it states that in some form on some field there could be a SQL injection performed. They only state the DB server version and a few of tables they have found.

I tried to perform the SQL injection on that field so hard but I cannot get a relevant result. The problem with SQL injection on that field is I guess:

  • field is validated by AJAX on blur
  • field has a JS validation and the input could only be a number (any other char is stripped)
  • the field's AJAX validation asks DB using SQL whether the value could be find while returning 1 if yes or false if not (simple SELECT 1 FROM table WHERE column = '{$value}')
  • the validation method then returns true or an error message and this is returned to the form in JSON format

Because of all this I do not know how to perform a SQL injection that would return some data... I know I could do an insert, update, delete queries, so there is SQL injection indeed, but how to retrieve some data from select query using this field and its validation method???

HEY GUYS! I am not asking "is there any SQL injection?" or "Is SQL injection a bad thing?" - I know there is SQL injection and I know it is mega bad, but my question is HOW CAN I PERFORM SQL INJECTION THAT WOULD RETRIEVE ANY DATA while You know the conditions above...

Those comments under are useless...

Improve this question
5
  • 1
    The report says that SQL injection can be performed. Why are you concerned with retrieving data? Isn't $value = "foo' OR '1'='1" bad enough? Commented Nov 15, 2012 at 11:41
  • 1
    SQL injection isn't used to just retrieve data, you can inject a DROP ALL TABLES and... Commented Nov 15, 2012 at 11:44
  • Because I need a proof they could really retrieve data. It is kinda weird that in any other case of penetrations they'd stated an URL with the description of the test and the result while explaining what they did and why. But here with that SQL injection problem they only state the result and not the process of testing. Thus I do think they couldn't retrieve any data and that this data they retrieved directly from client just to make us seem as fools. OK, there is possibility to perform SQL injection, but the validation was adopted from the clients old application... Commented Nov 15, 2012 at 11:45
  • 2
    @shadyyx — If they say they can retrieve data, and you want to confirm that they aren't lying, then ask them to give you evidence, that is what you pay them for! Commented Nov 15, 2012 at 12:04
  • We didn't pay them, our client payed them. Asking them will mean arguing while we both know SQL injection is there... Nevermind... Commented Nov 15, 2012 at 15:14

2 Answers 2

Reset to default
4

It's clear that:

  1. You aren't using the prepared statements feature that the OCI8 PHP extension provides (otherwise, you'd have column = :value instead of column = '{$value}')

  2. Your validation is client-side, thus can be easily overridden.

So you do have a SQL injection vulnerability. Now, that doesn't mean that we can necessarily steal your passwords or credit card numbers. The minimum effect is that parameters provided by user can make you app crash and that's bad enough.

About the precise potential of this injection, it's hard to say without even knowing what the app does. Usual possibilities include:

  • Retrieve rows you're not supposed to see
  • Inject data manipulation statements

Update:

Without seeing what your PHP code does:

$value = "' UNION ALL SELECT credit_card FROM billing_info -- ";
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

You too didn't understand my question. My point here is to proof that the company that did penetration tests REALLY COULD RETRIEVE THE DATA and that it is not fooling us. I know that data manipulation is as bad as data retrieving but this is not the point. Also, validation is done on server side - it is just called on client side...
@shadyyx, according to your description - the validation is done on client side: field is validated by AJAX on blur, if one disables the JS then the ajax validation won't run... Server side validation means that when you process the input on the server then you validate it first, it doesn't mean that you use a server side method to validate it
I tried that before, no success. The validation method still returns true/false. And raises an exception, as my select would look like SELECT 1 FROM table WHERE column = '' UNION ALL SELECT credit_card FROM billing_info -- which raises an exception that the selected values are not the same type - if in first query You select an integer You have to select an integer in another query, too.
@shadyyx - I provided a valid example, didn't I? Considering that I can't even test it (I don't have access to your app), it's not that bad.
Nope, not that bad :-). I gave You +1, don't worry :-).
2

It could take time to devise a method to completely take control of your DB once the vulnerability is found, especially if the attacking party has to spoof/rewrite client-side code to be compatible with your vulnerable server-side validation. This is also probably not a part of the security mission: its actual goal is to find vulnerabilities, not exploit them.

Therefore, it would be quite pointless to spend resources here, the main point is that you have a vulnerability and you have to correct it. Even if the security team couldn't exploit it, it doesn't prove anything: a more experienced and/or motivated team of outlaws can certainly exploit it. In particular, there are tools that automate the process of exploiting a SQL injection vulnerability once it is found.

Don't spend too much time trying to understand the subtilities of client-side alteration: the most important part is a robust server-side validation.

Also use prepared statements, problem solved.

Improve this answer

3 Comments

We do use Oracle prepared statements in all queries that we wrote. This one was adopted with their old class for one concrete form validations and we somehow forgot to check it sufficiently. But this is good point - I won't spend more time finding the exploit. Actually it is already repaired.
Somehow if the security team managed to get info on your schema, it might be interesting to know how, if only to satisfy your curiosity :)
Yep, that was the point - to satisfy my curiosity. Cos I'd spent about 2-3 hours trying so much to inject the SQL for data retrieval, but nothing! Yep, I could cause the validation to return treu even the data was not valid, I believe I could call some INSERT, UPDATE or DELETE query, but I highly suspect the testers and client they just arranged the data retrieval... But who knows, I have no proof (and they didn't proof they really did it).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.