Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Sql Injection issue

Posted on 2014-03-28
14
Medium Priority
?
502 Views
Last Modified: 2014-04-09
Question:  I was asked to do a security audit on few of our websites and one pops up on the scan with a possible sql injection. When I plug in the code below I get the following error “shown below” .  I can say that kind of new to sql injections… could somebody explain what I may be missing here…

URL Code that gives me error below:
http://www.website.com/ingenii.cgi?cart_id=6L8ZuK.a7221&maxp=20&ppinc=searchresults&search=%5c

Open in new window


Sql error  
Couldn't exec sth!
QUERY: INSERT INTO search_terms (search_term) values ('\')
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\')' at line 1
0
Comment
Question by:Mike
  • 5
  • 5
  • 4
14 Comments
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39962634
An sql injection refers to the ability to insert anything to your database including code that can be harmful by updating your db with malicious code or even dropping tables.  

You should never accept data directly from a url, post, cookie ect without first scrubbing the data.
0
 

Author Comment

by:Mike
ID: 39962644
Ok....so based on the error message I got... what I am not seeing in it..... not sure how the sql injection would work in this example...
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39962678
That error looks like it is coming from your cgi script.   Your your includes, "search=%5c"  and %5c is a url encoded slash.  Seeing that along with the error, "syntax to use near ''\'".  This means you are accepting input without scrubbing it first and thus open to an sql injection.   Unless the cgi script is what caught the slash or is that your scanning software?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39962706
That is vulnerable to SQL injection and I recommend you make sure to fix it with proper sanitation.. don't forgot to also make sure the permissions of your sql user is not root otherwise attackers don't even have to use admin login etc to put a shell on your website. Easily doable with load_file() with root permissions.
0
 

Author Comment

by:Mike
ID: 39962714
so If I plug in sql statement behind "search=%5c" its going to excite the sql injection w/o scrubbing it first..... could you give me and example ... so I can have better understanding.
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39962724
So do this "search=+ORDER+BY+100--" see if it gives you an error if it does do this
"search=test+ORDER+BY+1--" and tell me if that gives you an error.
If you would like you can contact me by posting your email on my profile and I can contact you directly to help.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39962733
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39962740
Ok whatever you do, don't use the ColdFusion server if you're going to use the markup language. Every version of ColdFusion has public 0day exploits and extremely easy to hack into.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39962750
My bad.... I thought that was the php article.
0
 

Author Comment

by:Mike
ID: 39962760
I used the string and it didn't give me a error
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39962773
It's a little difficult to help you sqli this over comments, just google how to or use this guide:  https://www.owasp.org/index.php/SQL_Injection
0
 
LVL 54

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 1000 total points
ID: 39962782
I use ms sql server with stored procedures and parameterized statements in addition to scrubbing data.    When you use a parameter statement, you are specifying the data type and length.  If you have a character field and you know you only need 10 characters, the parameter specifies that and anything over will error.  If you are expecting a date, and something comes in not as a date, it will throw an error (that you need to catch).  Same for  numbers.   This gives you several layers of protection.   I am not as familar with how it works in php/mysql http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php and perhaps Pasha can expand.  

This article goes into pdo and mysqli which is where this comes into play
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_686-PHP-Prevent-SQL-Injection.html

And some good tips from Ray  http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_12293-AntiPHPatterns-and-AntiPHPractices.html
0
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 1000 total points
ID: 39962796
I'm not too familiar with cgi at all.. I would just see if you can set up some input sanitation and hide your errors etc. http://www.elated.com/articles/form-validation-with-perl-and-cgi/
I'm not sure what you're running and what's going on in your server so you're going to have to figure that out for yourself unless you are able to give some more information about what you're running
0
 

Author Closing Comment

by:Mike
ID: 39989897
Thanks for the help...
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
In this article, we’ll look at how to deploy ProxySQL.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question