Bil Simser
|
| Posted: 01/19/2004, 5:03 AM |
|
I just came back from a security session in .NET about vulnerabilties with
SQL Server and web applications. One of the issues they showed was SQL
injection code. Basically if you have a text field asking a user for say a
search the code behind the search might be:
"SELECT * FROM tableName WHERE firstName=" + form.firstName
A normal user might enter this in the search field:
BOB
Okay, no biggie. He's looking for BOB in the database. The SQL would then
expand out to:
"SELECT * FROM tableName WHERE firstName=BOB"
But what if a malicious user entered this in the search field:
BOB ' union select @@servername, 1,1 --
Will return the servername of the machine running your database. In the
demo, the presenter went on once he had this information and was able to:
1. Create a new local account on the server
2. Give admin access to that account
3. Access any database with that account
4. Download any data with that account
5. Remove the user without anyone knowing he was there
Using the @@ variables and some built-in stored procedures in SQL Server
(like xp_cmdshell, ouch) he was able to basically walk right through any
security because of the way the ASP was forming the queries to the database.
Pretty much any database that has access to master is vulnerable.
This isn't just limited to ASP + SQL server (although that's the biggest
vulnerability) as it can be used against Oracle or MySQL and other
languages.
Here are some resources on SQL Injection code:
http://www.sitepoint.com/article/794
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.securityfocus.com/infocus/1644
http://www.vbmysql.com/articles/sqlinjection.html
http://www.governmentsecurity.org/articles/SQLInjection...hyItMatters.php
This may be an old topic but taking the stock output from CodeChargeStudio
(ASP+SQL) I was able to use the exploits to gain admin access to my SQL
server quite easily. Watch that SQL string and how you're building it!
-Bil
|
|
|
 |
Edd
Posts: 547
|
| Posted: 01/19/2004, 6:01 AM |
|
Bil,
Thank you so much for the heads up.
_________________
Accepting and instigating change are life's challenges.
http://www.syntech.com.au |
 |
|
RoskO
Posts: 19
|
| Posted: 01/19/2004, 11:39 AM |
|
Bil, I'm not against you here but have you looked at the common file in CCS? Just curious if it replaces the characters you really have to worry about.
I think there are steps to be taken that don't really include CCS generated code, then there are some steps that YES needs to take to make their code correct. For example, I see this in the common.asp file generated from CCS.
'CCToSQL @0-CA2C324A
Function CCToSQL(Value, ValueType)
If CStr(Value) = "" OR IsEmpty(Value) Then
CCToSQL = "Null"
Else
If ValueType = "Integer" or ValueType = "Float" Then
CCToSQL = Replace(CDbl(Value), ",", ".")
Else
CCToSQL = "'" & Replace(Value, "'", "''") & "'"
End If
End If
End Function
Doesn't this indicate that they are taking at least SOME steps to help out with injection issues? just curious what your thoughts are, or if you have checked out the code in the common files etc in CCS generated projects?
Please advise
-Jeremy
_________________
-Jeremy
Website design, database programming & hosting services
www.rockymountainpc.com |
|
|
|
RoskO
Posts: 19
|
| Posted: 01/19/2004, 12:36 PM |
|
Just another tip for users out there.
if you are running SQL server, run SQL as an account with low privelages. Just create a local account, add it to the "users" group and use that account to start up SQL server.
Next step is to create a separate login for each database, and in some cases more than one account.
Create a user in SQL Enterprise manager or whatever app you use to administer SQL server. Give them access to ONLY the database they need access to, DO NOT give them access to any server roles.
Another precaution might be to only give one user access to datareader, and use that username/password for grids and searches.
Next would be to create another user for datawriter and use that for adding new records.
These are just some precautions you can take, there are many more you can use with your code as you can see in the links above provided by Bil.
_________________
-Jeremy
Website design, database programming & hosting services
www.rockymountainpc.com |
|
|
|
Bil Simser
|
| Posted: 01/19/2004, 6:11 PM |
|
"RoskO" <RoskO@forum.codecharge> wrote in message
news:2400c3267520dc@news.codecharge.com...
> Bil, I'm not against you here but have you looked at the common file in
CCS? Just curious if it replaces the characters you really have to worry
about.
>
> I think there are steps to be taken that don't really include CCS
generated code, then there are some steps that YES needs to take to make
their code correct. For example, I see this in the common.asp file generated
from CCS.
I took a look in the common code and yes, there are some things the code (in
any language) does that would help prevent a SQL Injection attack. I'm not
sure if Yes did this intentionaly or it was just a result of optimizing the
codeline. In any case, while the common code does have some features to
prevent this type of thing take a look at the SQL statements created when
you pass a variable to a grid to filter on a column. Pretty vulnerable
there.
-Bil
|
|
|
|
peterr
Posts: 5971
|
| Posted: 01/19/2004, 11:52 PM |
|
Bil,
Although I understand your excitmenet about what you've learned about SQL Injection, I believe that CCS Studio was designed to prevent such issues.
I also couldn't find your question or reported issue in our support system.
Since you claim to be able to "use the exploits to gain admin access to my SQL server quite easily" please contact us with the detailed steps on how you achieved this so that we have a chance of taking a look at this.
The support URL is shown below.
For now we'll change the subject of your posting to "Great - CCS is protected from SQL injection" until we have an opportunity to research your claims.
Thank you
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
|
|
|
RoskO
Posts: 19
|
| Posted: 01/20/2004, 8:41 AM |
|
I think CCS produces good code and has plenty of protection built in for SQL injection attacks.
What people need to realize is that admin access to the entire server should NEVER happen through injection if the administrator of the server sets up users correctly.
If the fundamentals are followed, and you use CCS, you should be just fine.
_________________
-Jeremy
Website design, database programming & hosting services
www.rockymountainpc.com |
|
|
|
|
