SQL Injection
Normal users click on the 'next', 'prev' links where the
$offset
is encoded into the URL. The script expects that the incoming
$offset
is decimal number. However, someone tries to break in with
appending
urlencode()
'd form of the following to the URL
If it happened, then the script would present a superuser
access to him. Note that
0;
is to supply a valid offset to the original query and to
terminate it.
The static part of the query can be combined with another
SELECT
statement which reveals all passwords:
If this query (playing with the
'
and
--
) were assigned to one of the variables used in
$query
, the query beast awakened.
But a malicious user sumbits the value
' or uid like'%admin%'; --
to
$uid
to change the admin's password, or simply sets
$pwd
to
"hehehe', admin='yes', trusted=100 "
(with a trailing space) to gain more privileges. Then, the
query will be twisted:
If attacker submits the value
a%' exec master..xp_cmdshell 'net user test
testpass /ADD' --
to
$prod
, then the
$query
will be:
MSSQL Server executes the SQL statements in the batch including
a command to add a new user to the local accounts database. If
this application were running as
sa
and the MSSQLSERVER service is running with sufficient
privileges, the attacker would now have an account with which
to access this machine.