Reputation: 16055
PHP + Oracle - How to perform SQL injection?
Just recently our client got their site tested by the penetration tests company and in report it states that in some form on some field there could be a SQL injection performed. They only state the DB server version and a few of tables they have found.
I tried to perform the SQL injection on that field so hard but I cannot get a relevant result. The problem with SQL injection on that field is I guess:
- field is validated by AJAX on blur
- field has a JS validation and the input could only be a number (any other char is stripped)
- the field's AJAX validation asks DB using SQL whether the value could be find while returning 1 if yes or false if not (simple
SELECT 1 FROM table WHERE column = '{$value}') - the validation method then returns true or an error message and this is returned to the form in JSON format
Because of all this I do not know how to perform a SQL injection that would return some data... I know I could do an insert, update, delete queries, so there is SQL injection indeed, but how to retrieve some data from select query using this field and its validation method???
HEY GUYS! I am not asking "is there any SQL injection?" or "Is SQL injection a bad thing?" - I know there is SQL injection and I know it is mega bad, but my question is HOW CAN I PERFORM SQL INJECTION THAT WOULD RETRIEVE ANY DATA while You know the conditions above...
Those comments under are useless...
Upvotes: 0
Views: 1577
Answers (2)
Reputation: 67722
It could take time to devise a method to completely take control of your DB once the vulnerability is found, especially if the attacking party has to spoof/rewrite client-side code to be compatible with your vulnerable server-side validation. This is also probably not a part of the security mission: its actual goal is to find vulnerabilities, not exploit them.
Therefore, it would be quite pointless to spend resources here, the main point is that you have a vulnerability and you have to correct it. Even if the security team couldn't exploit it, it doesn't prove anything: a more experienced and/or motivated team of outlaws can certainly exploit it. In particular, there are tools that automate the process of exploiting a SQL injection vulnerability once it is found.
Don't spend too much time trying to understand the subtilities of client-side alteration: the most important part is a robust server-side validation.
Also use prepared statements, problem solved.
Upvotes: 2
Reputation: 146420
It's clear that:
You aren't using the prepared statements feature that the OCI8 PHP extension provides (otherwise, you'd have
column = :valueinstead ofcolumn = '{$value}')Your validation is client-side, thus can be easily overridden.
So you do have a SQL injection vulnerability. Now, that doesn't mean that we can necessarily steal your passwords or credit card numbers. The minimum effect is that parameters provided by user can make you app crash and that's bad enough.
About the precise potential of this injection, it's hard to say without even knowing what the app does. Usual possibilities include:
- Retrieve rows you're not supposed to see
- Inject data manipulation statements
Update:
Without seeing what your PHP code does:
$value = "' UNION ALL SELECT credit_card FROM billing_info -- ";
Upvotes: 4
Related Questions
- SQL injection Oracle
- oracle apex query sql injection
- php sql injection
- SQL injection in oracle with sanitized input
- Sql injection using php
- inserting data into oracle database using php
- how do you insert into oracle table with php
- connect oracle database with php and execute sql?
- PHP with SQL Injection
- How to do SQL injection on Oracle