Solved

Sql Injection issue

Posted on 2014-03-28
14
464 Views
Last Modified: 2014-04-09
Question:  I was asked to do a security audit on few of our websites and one pops up on the scan with a possible sql injection. When I plug in the code below I get the following error “shown below” .  I can say that kind of new to sql injections… could somebody explain what I may be missing here…

URL Code that gives me error below:
http://www.website.com/ingenii.cgi?cart_id=6L8ZuK.a7221&maxp=20&ppinc=searchresults&search=%5c

Open in new window


Sql error  
Couldn't exec sth!
QUERY: INSERT INTO search_terms (search_term) values ('\')
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\')' at line 1
0
Comment
Question by:amstoots
  • 5
  • 5
  • 4
14 Comments
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
An sql injection refers to the ability to insert anything to your database including code that can be harmful by updating your db with malicious code or even dropping tables.  

You should never accept data directly from a url, post, cookie ect without first scrubbing the data.
0
 

Author Comment

by:amstoots
Comment Utility
Ok....so based on the error message I got... what I am not seeing in it..... not sure how the sql injection would work in this example...
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
That error looks like it is coming from your cgi script.   Your your includes, "search=%5c"  and %5c is a url encoded slash.  Seeing that along with the error, "syntax to use near ''\'".  This means you are accepting input without scrubbing it first and thus open to an sql injection.   Unless the cgi script is what caught the slash or is that your scanning software?
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
Comment Utility
That is vulnerable to SQL injection and I recommend you make sure to fix it with proper sanitation.. don't forgot to also make sure the permissions of your sql user is not root otherwise attackers don't even have to use admin login etc to put a shell on your website. Easily doable with load_file() with root permissions.
0
 

Author Comment

by:amstoots
Comment Utility
so If I plug in sql statement behind "search=%5c" its going to excite the sql injection w/o scrubbing it first..... could you give me and example ... so I can have better understanding.
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
Comment Utility
So do this "search=+ORDER+BY+100--" see if it gives you an error if it does do this
"search=test+ORDER+BY+1--" and tell me if that gives you an error.
If you would like you can contact me by posting your email on my profile and I can contact you directly to help.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 5

Expert Comment

by:Pasha Kravtsov
Comment Utility
Ok whatever you do, don't use the ColdFusion server if you're going to use the markup language. Every version of ColdFusion has public 0day exploits and extremely easy to hack into.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
Comment Utility
My bad.... I thought that was the php article.
0
 

Author Comment

by:amstoots
Comment Utility
I used the string and it didn't give me a error
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
Comment Utility
It's a little difficult to help you sqli this over comments, just google how to or use this guide:  https://www.owasp.org/index.php/SQL_Injection
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 250 total points
Comment Utility
I use ms sql server with stored procedures and parameterized statements in addition to scrubbing data.    When you use a parameter statement, you are specifying the data type and length.  If you have a character field and you know you only need 10 characters, the parameter specifies that and anything over will error.  If you are expecting a date, and something comes in not as a date, it will throw an error (that you need to catch).  Same for  numbers.   This gives you several layers of protection.   I am not as familar with how it works in php/mysql http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php and perhaps Pasha can expand.  

This article goes into pdo and mysqli which is where this comes into play
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_686-PHP-Prevent-SQL-Injection.html

And some good tips from Ray  http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_12293-AntiPHPatterns-and-AntiPHPractices.html
0
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 250 total points
Comment Utility
I'm not too familiar with cgi at all.. I would just see if you can set up some input sanitation and hide your errors etc. http://www.elated.com/articles/form-validation-with-perl-and-cgi/
I'm not sure what you're running and what's going on in your server so you're going to have to figure that out for yourself unless you are able to give some more information about what you're running
0
 

Author Closing Comment

by:amstoots
Comment Utility
Thanks for the help...
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Read about achieving the basic levels of HRIS security in the workplace.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now