Sql Injection issue

Question:  I was asked to do a security audit on few of our websites and one pops up on the scan with a possible sql injection. When I plug in the code below I get the following error “shown below” .  I can say that kind of new to sql injections… could somebody explain what I may be missing here…

URL Code that gives me error below:
http://www.website.com/ingenii.cgi?cart_id=6L8ZuK.a7221&maxp=20&ppinc=searchresults&search=%5c

Open in new window


Sql error  
Couldn't exec sth!
QUERY: INSERT INTO search_terms (search_term) values ('\')
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\')' at line 1
MikeSecurityAsked:
Who is Participating?
 
Pasha KravtsovSupport EngineerCommented:
I'm not too familiar with cgi at all.. I would just see if you can set up some input sanitation and hide your errors etc. http://www.elated.com/articles/form-validation-with-perl-and-cgi/
I'm not sure what you're running and what's going on in your server so you're going to have to figure that out for yourself unless you are able to give some more information about what you're running
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
An sql injection refers to the ability to insert anything to your database including code that can be harmful by updating your db with malicious code or even dropping tables.  

You should never accept data directly from a url, post, cookie ect without first scrubbing the data.
0
 
MikeSecurityAuthor Commented:
Ok....so based on the error message I got... what I am not seeing in it..... not sure how the sql injection would work in this example...
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
That error looks like it is coming from your cgi script.   Your your includes, "search=%5c"  and %5c is a url encoded slash.  Seeing that along with the error, "syntax to use near ''\'".  This means you are accepting input without scrubbing it first and thus open to an sql injection.   Unless the cgi script is what caught the slash or is that your scanning software?
0
 
Pasha KravtsovSupport EngineerCommented:
That is vulnerable to SQL injection and I recommend you make sure to fix it with proper sanitation.. don't forgot to also make sure the permissions of your sql user is not root otherwise attackers don't even have to use admin login etc to put a shell on your website. Easily doable with load_file() with root permissions.
0
 
MikeSecurityAuthor Commented:
so If I plug in sql statement behind "search=%5c" its going to excite the sql injection w/o scrubbing it first..... could you give me and example ... so I can have better understanding.
0
 
Pasha KravtsovSupport EngineerCommented:
So do this "search=+ORDER+BY+100--" see if it gives you an error if it does do this
"search=test+ORDER+BY+1--" and tell me if that gives you an error.
If you would like you can contact me by posting your email on my profile and I can contact you directly to help.
0
 
Pasha KravtsovSupport EngineerCommented:
Ok whatever you do, don't use the ColdFusion server if you're going to use the markup language. Every version of ColdFusion has public 0day exploits and extremely easy to hack into.
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
My bad.... I thought that was the php article.
0
 
MikeSecurityAuthor Commented:
I used the string and it didn't give me a error
0
 
Pasha KravtsovSupport EngineerCommented:
It's a little difficult to help you sqli this over comments, just google how to or use this guide:  https://www.owasp.org/index.php/SQL_Injection
0
 
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
I use ms sql server with stored procedures and parameterized statements in addition to scrubbing data.    When you use a parameter statement, you are specifying the data type and length.  If you have a character field and you know you only need 10 characters, the parameter specifies that and anything over will error.  If you are expecting a date, and something comes in not as a date, it will throw an error (that you need to catch).  Same for  numbers.   This gives you several layers of protection.   I am not as familar with how it works in php/mysql http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php and perhaps Pasha can expand.  

This article goes into pdo and mysqli which is where this comes into play
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_686-PHP-Prevent-SQL-Injection.html

And some good tips from Ray  http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_12293-AntiPHPatterns-and-AntiPHPractices.html
0
 
MikeSecurityAuthor Commented:
Thanks for the help...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.