How do I exploit "EXEC @sql"?

Asked 16/9, 2010 at 22:7 Answered 16/9, 2010 at 22:20

Solved sql-server t-sql sql-injection validation dynamic-sql

My co-worker is being unsafe with his code and is allowing a user to upload an SQL file to be run on the server. He strips out any key words in the file such as "EXEC", "DROP", "UPDATE", "INSERT", "TRUNC"

I want to show him the error of his ways by exploiting his EXEC ( @sql )

My first attempt will be with 'EXEXECEC (N''SELECT ''You DRDROPOPped the ball Bob!'')'

But he might filter that all out in a loop.

Is there a way I can exploit my co-worker's code? Or is filtering out the key words enough?

Edit: I got him to check in his code. If the code contains a keyword he does not execute it. I'm still trying to figure out how to exploit this using the binary conversion.

Forever answered 16/9, 2010 at 22:7 Comment(5)

+1 For such an awesome question. We should exploit our co-workers more often. – Medardas 16/9, 2010 at 22:32

Just give us the URL and log the uploads! – Salters 16/9, 2010 at 22:36

As for your first attempt: are you telling us your co-worker still tries to execute a piece of uploaded code after he found an EXEC there? – Salters 16/9, 2010 at 22:41

I'm not sure exactly how he does it at the moment. He forgot to add the files with the validation to subversion :( so I can't check up on him. – Forever 16/9, 2010 at 23:0

But yes, coders daft enough to think they get blacklist their way out of this situation quite often employ approaches like naïve stripping. – Languishment 16/9, 2010 at 23:15

Tell your co-worker he's a moron.
Do an obfuscated SQL query, something like:

select @sql = 0x44524f5020426f627350616e7473

This will need some tweaking depending on what the rest of the code looks like, but the idea is to encode your code in hex and execute it (or rather, let it be executed). There are other ways to obfuscate code to be injected.

You've got a huge security hole there. And the funny part is, this is not even something that needs to be reinvented. The proper way to stop such things from happening is to create and use an account with the correct permissions (eg: can only perform select queries on tables x, y and z).

Gaea answered 16/9, 2010 at 22:12 Comment(2)

he hee - just incase you didn't know that hex and when translated into ascii it translates to drop bobspants – Confederate 16/9, 2010 at 22:15

Good call on the user account. That will solve his issue for sure. – Forever 16/9, 2010 at 23:4

Have a look at ASCII Encoded/Binary attacks ...

should convince your friend he is doomed.. ;)

And here some help on how to encode the strings ..
Converting a String to HEX in SQL

Dalton answered 16/9, 2010 at 22:20 Comment(0)

Recommended topics

Hot tags