==Intro==
Welcome to the world of Web Application security, in our day and age you'd think from the thousands of
reports of records being stolen, accounts being compromised, and websites being 'defaced' that developers
would learn to secure their web apps. But people don't like security as it often takes the place of convenience
and, as I'm sure you're all aware, of this is a lazy generation. People like things that you just double click and it
does what you need it too, I'm really going off on a rant here but developers of web applications often either
don't know about security (It's not mentioned in most tutorials you find on programming), don't care, or just
forgets and doesn't bother to test his/her code before releasing it. One of the most common mistakes is SQL
Injection and in this paper I'll take you from exploit to patch so sit back and relax and enjoy.
==Error In Coding?==
A basic PHP script requesting data from SQL will look a little something like this
This will ofcourse work and the link will look like shop.php?id=1. This code does work so why is
it so wrong? Well what if we were to put something other than what they want us too? What if we put our
own query into that id field and not an integer as they've linked us, You're probably seeing it already but for
others I'll show an example. Let's request shop.php?id=1' the apostrophe will end the id = '' and give us id =
''' and thus give us an error [If error_reporting isn't turned off].
So lets take a look at that in the code
$rows = mysql_query("SELECT product,price,image FROM prods WHERE id = ''', $link);
As you can see we ended the ID = '' and added a ' to the end so what if we used another SQL statement with
the UNION query, we could then execute any command we wanted to the SQL DB.
==Oh So Exploitable==
So you're thinking ah who cares I don't have anything of use in my sql db just some product information so I have nothing to worry about.
WRONG
SQL Injection allows so much more than just reading data it also allows them to read any file on your server
and write into files. To do this attackers use a query known as LOAD_FILE() and INTO OUTFILE/DUMPFILE
'/path/filename.php'. Once an error occurs it will show a path to the file that errored for debugging and of
course it's the full path to where you're files are kept so going back to our code an attacker could do this...
'' INTO OUTFILE '/var/www/shell.php', $link);
If this directory is writeable
then the hacker has just put a "Web shell" onto your server and from there has full access to everything.
==SO WTF HOW DO I FIX THIS GOD I HATE HACKERS==
Don't hate hackers we're simply trying to help you fix problems which could cause harm to your site if, say,
a competing company doesn't like your business and they discover this. So the next time you receive an
email from a hacker saying that your site is vulnerable don't get scared or angry simply thank them for their
service, patch the hole, and offer them a little something for helping you
Now onto the patching First your code a very simple if() can be added to fix this
This checks if $id is numeric if it's not
it terminates the script then and there but if it is it continues and works flawlessly. It's not the only way mind
you but it does the job for variables that need to be numeric only.
As for error_reporting it's not a huge flaw but it does help out so to disable this [after you've debugged] simply
add to the top of your script error_reporting(0);, this will turn off all error reporting for this particular script.
For LOAD_FILE and INTO OUTFILE/DUMPFILE simply make sure that the user your using to connect with your
script doesn't have FILE permissions he probably doesn't need them anyway. To do this type the following:
And you're good to go! Remember
to always watch your logs and NEVER EVER EVER EVER EVER EVER use your script to login to mysql as root NEVER.
0 comments:
Post a Comment