cgi generic sql injection problems

5.6k views Asked by At

I was scanning a site when the following vulnerability popped up: CGI Generic SQL Injection

nessus sais that An attacker may exploit this flaw to bypass authentication, read confidential data, modify the remote database, or even take control of the remote operating system.

So i continued reading and found out that the vulnerability sits in this piece of code:

Using the POST HTTP method, Nessus found that :

  • The following resources may be vulnerable to SQL injection :

  • The '_codeTextBox' parameter of the /LoginTeacherForm.aspx CGI :

    /LoginTeacherForm.aspx [loginButton=Login&_VIEWSTATE=dDwtMTU2NDIxMDkwN Ts7Pg%3d%3d&btnChangePassword=Wijzig%20Pincode&_pinCodeTextBox=&_codeTex tBox='+convert(int,convert(varchar,0x7b5d))+']

-------- output --------

 Exception Details: System.Data.SqlClient.SqlException: String or
binary data would be truncated.
The statement has been terminated. 

But i'm wondering how an attacker can exploit this vulnerability, because when i paste that piece of code it just give me the error.

So my question is how would an attack be able to actually hack into the site and bypass login etc. (Educational purpose only of course)

2

There are 2 answers

0
ZnArK On BEST ANSWER

The error System.Data.SqlClient.SqlException indicates an error in your SQL query statement. This implies that value stored in the _codeTextBox parameter is not validated or otherwised sanitized before being put into the query.

This would have varying implications depending on the query and logic surrounding its return value. It is impossible to determine the worst case scenario without a thorough understanding of the web application. Suffice it to say, this issue should be fixed by the developer. Fortunately, it is usually easy to fix once identified.

In this case, it looks like the _codeTextBox parameter is being passed to the convert function. I doubt anyone could exploit this. But, this indicates insecure coding practices that probably appear in other areas that Nessus is not aware of. Read below for more info.

I see this most often when the programmer simply concatenates the values with the SQL query string:

Unsafe Example (java) (Source OWASP)

String query = "SELECT account_balance FROM user_data WHERE user_name = "
  + request.getParameter("customerName");

try {
    Statement statement = connection.createStatement( … );
    ResultSet results = statement.executeQuery( query );
}

Since the value simply gets appended to the end of the query, the user can change query to do something nefarious like login as any user or view all transactions. In the above example, the user could change the customer name parameter to something like '' or 1=1 or worse.

Expected query:

 SELECT account_balance FROM user_data WHERE user_name = someuser

Bad query:

 SELECT account_balance FROM user_data WHERE user_name = '' OR 1=1

OWASP recommends the following defensive measures. Your situation will dictate what is appropriate:

Primary Defenses:

  1. Use of Prepared Statements (Parameterized Queries)
  2. Use of Stored Procedures
  3. Escaping all User Supplied Input

Additional Defenses:

  • Also Enforce: Least Privilege
  • Also Perform: White List Input Validation

You really need to check out OWASP's site and read more about SQL injection.

0
SilverlightFox On

It looks like a false positive caused by the Nessus request causing your page to insert too long a string into a field. Nessus has detected the error was a SQL server error and has said that it may be a SQL injection vulnerability.

To test yourself try the request with _codeTextBox= set to a single quote to see if you still get a SqlException. If so amend this to two single quotes and if the error then goes away you are probably vulnerable.