Roy Schestowitz wrote:
> Lusotec wrote:
>> Some SQL DB servers provide things like stored procedures and
>> parametrized queries that allow the developers to avoid SQL injections
>> vulnerabilities but these have to be *correctly* used by the developer to
>> have any positive effect.
>
> Will these stored procedures permit an intruder to gain control over the
> system?
Stored procedures (SP) are SQL queries defined and stored in the server that
can be called with a function call like syntax. SP are somewhat safer than
direct SQL but if incorrectly used can be just as abused as direct SQL.
Can a SQL injection be used to gain system control? Directly no, unless
there is some serious bug in the DB server, but it can be a stepping stone
to gain access to the system through a crappy script.
One example I came across is a script that had a vulnerability that allowed
a SQL injection in a page to display a list of products. An attacker
exploited that to display the list of users and the hashed passwords. The
attacker then probably brute guessed the password from the hash and used it
to access the admin area of the script.
The script has a feature to upload templates and modules and the attacker
used that to upload a module with a script and a binary. The binary was a
fake passwd exec that would steal the account's password the moment the
user was forced to update is password (a requirement once every 3 months).
What stopped the attacker was the fact that I put all the web related stuff
in that server on a mount with noexec,nosuid,nodev and that stopped the
execution of the binary.
The SQL logs showed what the SQL injection was and the script was quickly
fixed but in a server where the users can and will install what ever crap
they find the admin has lots of work keeping things safe.
Regards.
|
|
