 |
|
 |
|
On Mon, 13 Feb 2012 21:56:57 +0000, Gary Smith <...@l33t-d00d.co.uk
Nothing on MySQL - however, if the back end was an MS SQL server then
the first query would prove that the user had access to the sysobjects
table (ie wasn't constrained within a view, etc).
The second is - the char(124) evaluates to |user|=0. I'm not sure what
this one does, tbh.
Gary
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql
|
|
 |
|
 |
|
|
|
|
On Mon, 13 Feb 2012 14:09:06 -0800, Haluk Karamete <...@gmail.com
Gary,
you've mentioned that the user would have had access to the sysobjects
Let's assume he did. The page that this attempt occurred is hard-wired
to display a single record in detail view. In the code, I have a bunch
of echo $row-<title kind of statements...
I'm even more curious now; what kind of goodies this evil user would
have gotten with having access to the sysobjects from the query
string? I mean how would my page display sysobjects data when I don't
have anything to do with echo sysobjects stuff?
can you shed some light maybe?
thx.
On Mon, Feb 13, 2012 at 1:56 PM, Gary Smith <...@l33t-d00d.co.uk
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql
|
|
|
|
|
|
|
|
|
On Tue, 14 Feb 2012 09:10:11 +0000, Gary Smith <...@l33t-d00d.co.uk
No, there's a difference. *If* they had access to sysobjects then it
could've caused issues.
Ideally, you should have some level of segregation within your database.
That is, the user that is querying the database from the website doesn't
have access (read/write) to sysobjects as this isn't required.
To clarify - the credentials that are used on your website should only
have the minimum level of access: If these details are for any reason
compromised, then, should the person with those credentials get access
to the back end, they'll only be able to see the information that they'd
be able to on the website (albeit in a raw format). If they can see more
than that, then the potential for damage increases significantly.
Consider that you run your website with the root user credentials. These
are compromised. The person with these now has your root user details
and, as a result, makes a concerted effort to find a way in to your back
end. Having successfully done this, they can then drop the database.
You could always escape these. Some SQL injection attacks do account for
this kind of thing. They're typically much more sophisticated than the
one you quoted.
The family silver? Sysobjects contains pretty much everything about your
database - information about tables, views, stored procedures. Consider
it as something like a blueprint of your database.
It wouldn't be inconceivable to escape out of what you've done to
protect yourself. I assume that if you're passing any input to the
database that it's already escaped?
Hopefully that helps.
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql
|
|
|
|
|
|
|
|
|
On Mon, 13 Feb 2012 13:59:30 -0800, Haluk Karamete <...@gmail.com
sorry, i overlooked that this IS a mysql mailing-list and we are
running ms-sql in this particular case. good catch...
I'd appreciate any insight though.
On Mon, Feb 13, 2012 at 1:56 PM, Gary Smith <...@l33t-d00d.co.uk
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql
|
|
|
|
|
|
|