0

I have discovered that some old (2009) code that was written for a website, did, under certain circumstances on a search query save the SQL as a a $_GET variable!

When the search was carried out, the details are POSTED and then sanitized, and the results are paginated with the LIMIT clause in MySQL. If there is more than one page (ie +30 results) the pages are anchor links in the HTML with a GET var containing the SQL statement.

I know, this is absolutely not the way to do this. It's old code I've just seen it by chance. This needs to be fixed.

So I've fixed it, sanitized it and used an alternative method to reload the SQL, BUT:

My question is thus:

The page outputs the data relating to thumbnail images, all data is output as named array var (the original clause is a SELECT * clause), so if someone does abuse the GET variable, the page itself will only output the columns named,

I have managed to DELETE rows from the DB using the GET abuse, I would like to think the abuse is only effective if the result is not involving any returned output (such as DELETE) but I don't know; so given that the user can input anything into the GET clause but only get the displayed output of what's coded (ie named columns in a 30 row array) -- what other abuses can this gaping hole be open to?

Further details: The code is MySQLi

Legionar
  • 7,472
  • 2
  • 41
  • 70
Martin
  • 22,212
  • 11
  • 70
  • 132
  • 3
    They could have done almost everything with the db they wanted to. – Jordy Dec 05 '14 at 12:13
  • can you expand on this, as in what can they do considering that the output on the page would only be the defined columns, etc. – Martin Dec 05 '14 at 12:14
  • Very, very danger: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php , http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work – S.Pols Dec 05 '14 at 12:14
  • to determine what could've happened to your data, you need to tell us what extension was being used, and how. If the code used `mysqli` and `multi_query` was being used, there's no telling what the damage is – Elias Van Ootegem Dec 05 '14 at 12:17
  • 1
    Good edits @Thomas. OP, we value brevity here in questions - keep them succinct if you can! – halfer Dec 05 '14 at 12:18
  • ok, cheers Halfer. I'm still a but shocked this (issue) has been open so long! @EliasVanOotegem the code is MySQLi , now noted on the question. Cheers. – Martin Dec 05 '14 at 12:20

2 Answers2

2

A tool like SQLMAP can probably take over the entire server and do with it whatever the user wants.

Having an unsanitized database input isn´t even hacking anymore, it´s waiting for someone to run a script on your machine and basically own it from that point on.

Erik
  • 3,598
  • 14
  • 29
  • This is not an answer I like but thanks, I'll check out SQLMap – Martin Dec 05 '14 at 12:21
  • What do you not like about it? I could expand it, but "absolutely everything" is probably the answer. SQLMAP can probably automatically get root-priviliges on your server through a combination of exploits. Check out their demo-video, it shows them using it on a server that has an exploit like yours available and they end up as a system administrator for that machine. – Erik Dec 05 '14 at 12:23
  • well ok, I do very much like the answer but the scope of the SQLMAP is far more than I initially expected but does show me the possible worst case in this situation. I do appreciate your answer in that alone I had no knowledge of SQLMAP (and thus its abilities in this situation) beforehand. – Martin Dec 05 '14 at 12:30
1

What the attacker can do depends on your database configuration and database user access. If you create a new user with a permission to only SELECT that one specified table, and use that user for that particular script, the harm it can do is reading data from that table.

Still this is bad practice. Never use it.

invisal
  • 11,075
  • 4
  • 33
  • 54
  • The database user does not have universal rights but I'm looking now into what rights this one does have, cheers for the answer – Martin Dec 05 '14 at 12:27