-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=

                          -= SQL Interjection Attack =-

                                 -= By Fiend =-
                        -= all.rice@slcstreetracing.com =-
                           
                           -= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Basic Information:
It is assumed that the reader is familiar with the concept of dynamic driven websites and 
speficially with server-side languages that deliver content from a datebase.  A slight 
knowledge of SQL and how database interact with the server is helpful.  A deep 
understanding isn't required for this document.


Test Enviorment:

Server:   
Apache/1.3.22 (Darwin) PHP/4.0.6 mod_ssl/2.8.5 OpenSSL/0.9.6b


Database: 
MySQL 3.23.36


Premise:
Dynamicaly direven website can be open to attack by not validating the commands they send 
to thier database.  


Main:
Many websites populate their pages with dynamic content from database and use this to fill 
in html templets.  (examples: google.com, slashdot.org)  This is very helpful for search 
engines and news site but also can leave security holes.  A webpage will ask a database 
for certain content through a server side program (perl/cgi, php, coldfusion, asp).  It is 
how this server side program handles the interaction that can cause the problem.  If a 
website wants to grab all of tthe information from a table (my_table)in a database using a 
command similar to "SELECT * FROM my_table;".  This will return all of the records in 
my_table.  Often sites will store sensitive information about users/customers in their 
database in another table (customers) and use a different SQL command to only get that users 
content, "SELECT user_name, password,e-mail FROM customers WHERE user_name LIKE <login_user> 
AND password LIKE <login_password>;" This is comparing database records that use variables 
from an html login form. 

The problem appears when a webpage stores the SQL command in a common variable name ($SQL) 
and doesn't validate the command before sending it to the database.  

Example:
login.php?user=bob&pass=****
Regular url.


login.php?user=bob&pass=****&sql=SELECT * FROM customers
The sql command can be overloaded with the url.  This command will cause the sql server to 
select all of the records about all of the customers and display them on the website, giving 
you private information about the users.

login.php?sql=drop%20table%20customers
This command will completely drop the table and make them restore it from backup, this can be 
very usefull if you already know a users old password or the default password

Conclusion:
This is very fun but also damaging and illegal, although you are simply asking the webpage for 
information and it gives out the sensitive information to you.  You can be cought and convicted 
of being the little terrorist* you are!

*Thanks to the PATRIOT act for considering geeks the same as terrorist and silecing scientist 
with the DMCA, that'll really make us safer.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
© 2600SLC.ORG 2002
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-