Breaking SQL insert

Question

Post reply

Breaking SQL insert

Val Akkapeddi

SSC Enthusiast

Points: 122
More actions
September 10, 2004 at 8:13 am

#85368

I am testing the security of a .NET application that processes an incoming message into fields it inserts into a database. In one 35-byte text field, I replaced the actual context of the message with DELETE FROM (TABLENAME). The exact format I am using is ";DELETE FROM TABLENAME". I also tried with single quotes. It didn't execute the SQL.

The developers aren't including error-checking to verify the value of that field because they feel that the format of the content might change in the concievable future, and then they don't have to re-code the check.

Is there any way I can get SQL server to execute the SQL statement instead of just treating it as text and populating the database with it?

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply

AJ Ahrens SSC-Insane Points: 20676 More actions · Answer 1

AJ Ahrens

SSC-Insane

Points: 20676

September 10, 2004 at 10:02 am

#522590

You could place the field data into a variable and then EXEC sp_executesql @field but....

IF there is no validation except to INSERT into the field WHY would there be code on your side to EXEC it???

Good Hunting!

AJ Ahrens

webmaster@kritter.net

Aaron Templeton SSCarpal Tunnel Points: 4655 More actions · Answer 2

Aaron Templeton

SSCarpal Tunnel

Points: 4655

September 10, 2004 at 10:05 am

#522592

Yes. Suffice it to say that you can imbed SQL to cause issues if the fields are not sufficiently edited and you either know how the SQL is structured (an inside job) or make enough good guesses. I just don't think that a "how to launch an attack" is a good tutorial to be posting.

Val Akkapeddi SSC Enthusiast Points: 122 More actions · Answer 3

Val Akkapeddi

SSC Enthusiast

Points: 122

September 10, 2004 at 10:05 am

#522591

My purpose is more to make sure that any SQL that gets put in there, since there is no error-checking, won't get executed and screw up the database. I guess that's the case. =)

Ty,

Aaron Templeton SSCarpal Tunnel Points: 4655 More actions · Answer 4

As a side note, you can avoid the vast majority of such attacks by replacing ' with '' (two single quotes) within any data fields just prior to concatenating it into the sequal string so long as you are using quotes around the value in your sql. For example, if the field is placed directly into the field because it is supposed to be an integer you would have to edit it to make sure that it truely is merely an integer before doing so.