Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Re^5: RFUC : aXML release 0.2.0

by tinita (Parson)
on Jul 18, 2011 at 00:30 UTC ( #915038=note: print w/ replies, xml ) Need Help??


in reply to Re^4: RFUC : aXML release 0.2.0
in thread RFUC : aXML release 0.2.0

http://bobby-tables.com/

your cookie parsing: $ENV{HTTP_COOKIE} =~ m@sessionId=(.*?); userID=(.*?);@s

your sql: qq@ SELECT * FROM sessions WHERE sessionID="$sessionID"; @

I modify the cookie so that $sessionID is: q{" OR userID="1}; and $userID is 1. let's say 1 is the admin userid. tadaa. I'm logged in as admin.

use placeholders. always.


Comment on Re^5: RFUC : aXML release 0.2.0
Select or Download Code
Re^6: RFUC : aXML release 0.2.0
by Logicus on Jul 18, 2011 at 00:38 UTC

    So the SELECT becomes :

    SELECT * FROM sessions WHERE sessionID="q{" OR userID="1};";

    I just tried that on the MySQL console and got this:

    mysql> SELECT * FROM sessions WHERE sessionID="q{" OR userID="1};"; ERROR 1054 (42S22): Unknown column 'userID' in 'where clause'

    The sessions table looks like this :

    mysql> describe sessions; +-----------+----------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-----------+----------+------+-----+---------+-------+ | sessionID | char(32) | YES | | NULL | | | xml | text | YES | | NULL | | | username | char(50) | YES | | NULL | | | timestamp | int(11) | YES | | NULL | | +-----------+----------+------+-----+---------+-------+ 4 rows in set (0.00 sec)
      you misunderstood. $sessionID becomes:

      " OR userID="1

      Your code:

      $sessionHash = DB::GetHash(qq@ SELECT * FROM sessions WHERE sessionID= +"$sessionID"; @); ... unless ($userID eq $sessionHash->{userID})

      I assumed from that code and DB::GetHash that there is a field userID in your table.

        Yes there should be that column, I was adding that in on this version but I forgot about it.

Re^6: RFUC : aXML release 0.2.0
by Logicus on Jul 18, 2011 at 01:06 UTC

    Actually, now you've called my attention to it, that specific area was one that I was changing from the previous version, to add the userID column, but I forgot about it.

    What do you mean by placeholders?

    In version 0.2.1 the code will read thus :

    $ENV{HTTP_COOKIE} =~ m@sessionId=([ABCDEF0123456789]{32}); userID=(. +*?);@s #thanks to tinita of Perlmonks!

    Would it work if I just went ([A-F0-9]{32}) ?

      What do you mean by placeholders?

      I assumed that you would actually read http://bobby-tables.com/ -> http://bobby-tables.com/perl.html and the other advices about sql injections you were given.


      update: oh, and I would prefer not to be quoted in your source code for that, mainly since that wasn't my exact suggestion...

        Sorry it just looked like a cartoon that I've seen before and my attention was off looking at the code to see what you meant.

        As for placeholders ah yes I see what you mean now, thanks!

Re^6: RFUC : aXML release 0.2.0
by jdporter (Canon) on Jul 18, 2011 at 13:47 UTC

    Personally I think it would have been far more awesome to let him leave that particular avenue of exploit open in his code.

    Interestingly (not), when I mentioned "bobby tables" to him before, he blew me off (out of sheer ignorance, of course), claiming that his code was already immune to SQL injection attacks.

      I didn't blow you off and I didn't say it was immune, I said I had tested it and couldn't find an attack vector, and if you had one could you please clarify, which you failed to do.

        I don't need to show an attack vector; the fact is that your code was patently vulnerable to SQL injection attacks. Exactly how one might attack depends on how your code interacts with the outside world. Maybe you've secured it at the application layer. Maybe your code isn't being used on Internet-connected machines at all. That would be pretty secure, despite this vulnerability.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://915038]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (7)
As of 2014-12-28 13:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (181 votes), past polls