1

One potential client gave me access to his FTP last night to check a small web software to see if I can perform the changes he wants and I found the following line in the code

$query = mysql_query("SELECT * FROM request WHERE MD5(CONCAT(id, code)) = '{$_GET['r']}' LIMIT 1");

I read in this question that mysql_query doesn't support multi queries, so that's the reason why I wasn't able to erase one test-table I created myself.

I did manage to use the old trick ' or 1 = 1 -- but the software interface is designed to list only 1 result of the query, which means I can't get my hands on all the data. But on this subject, the application is a small web software that processes requests.

  • You get a link
  • You click on Pay now
  • You pay your debt in another website
  • You return to the website
  • You get a receipt email.

The application doesn't hold sensitivity data, doesn't matter if you can find and load other people's request because you're not willing to pay their bills and there's nothing else you can do. No password involved, no credit card involvement, nothing. Nothing you can steal from the database matters.

The question is

In this case, do I have anything to support the allegations that inputting your data directly into the SQL is unsafe? Is there any way around to delete or update (update in a matter of corrupting) the data using SQL Injection so I can prove that it's actually unsafe? Or otherwise we have to admit that under the circumstances the software is safe enough?

The question is design to help me decide whether I should report back explaining that the client should pay someone to fix all the SQL Injections vulnerabilities. But if it's not broken, he won't be paying to fix it and apparently I can't prove that it's broken.

Edit 1:

In answering to @James on comments, the website doesn't handle all your bills, just your bills with the specific client. For the sake of argument we can safely assume that nobody is going to be paying to fix only select vulnerabilities because indeed you won't find any customer of theirs worried about their bills getting out.

Improve this question
19
  • 1
    "doesn't matter if you can find and load other people's request because you're not willing to pay their bills" you don't consider other people's debts or bills "sensitive" data? Would you be happy your debt/bill information being publicly available? Commented Apr 9, 2015 at 12:35
  • 2
    What about an injection that over-performs and hijacks CPU, effectively a DOS attack. Commented Apr 9, 2015 at 12:35
  • 3
    This is 2015. Prepare your statements. Commented Apr 9, 2015 at 12:40
  • 2
    TBH I don't care what bill or information it is - it's not up to you to decide if I want my info to be available to others or not. (obviously not including obvious public data such as posting on twitter etc) Commented Apr 9, 2015 at 12:43
  • 1
    @MarcoAurélioDeleu Does the program have other points of entry? You told us about the retrieval of data, but when the visitor returns are they carrying information for an update to say the bill was paid? Does the payment gateway do that directly (ie. silent post)? Or are there any other entry points (visitor facing or not) that can be accessed to perform any level of update of delete? If so, then the ability to discover what those weaknesses are will be available through this vector and they can exploit through another. Commented Apr 9, 2015 at 13:04

2 Answers 2

Reset to default
4

You are able to alter the structure and meaning of the query; you are able to add or remove conditions etc. from it and generally make it behave in ways the author did not intend. This is a security issue no matter how you look at it. You may not be able to find an adhoc exploit for it, but it can give someone a leg up in some way or another that nobody anticipates right now. For example, it can be used to probe the database for the existence of data or tables and columns. That alone can give an attacker additional information to formulate a more specific attack elsewhere.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

Yes this is a security risk.

For example, 

$_GET['r'] = "1 AND code LIKE '%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()$*R"_)][%](%[x])%a][$*"£$-9]_%'";

And we have a wildcard attack.

SQL Wildcard Attacks are about forcing the underlying database to carry out CPU-intensive queries by using several wildcards. This vulnerability generally exists in search functionalities of web applications. Successful exploitation of this attack will cause Denial of Service.

Beyond that, an attacker can manipulate $_GET['r'] to find out more on your database, such as other tables, columns, and even databases - which is a huge security vulnerability in itself.

Improve this answer

6 Comments

I'll be asking permission to test this during the night, if it works it will be reason enough to fix. On the database matter, like I said in the question, retrieving data won't matter at all.
@MarcoAurélioDeleu Why not grab a copy of the site and test away from live? Then you can hammer it to death in all ways without it being a problem to anyone
@MarcoAurélioDeleu "retrieving data won't matter at all". It will. If an attacker knows your database design (tables, columns, databases) he can then use this knowledge on other attacks, or even probe them for data. If you did not intend for someone see some data (ie: data linked to another account), this is a security risk.
@James because the client in question will argue that it is not unsafe until I prove otherwise in his own website environment. Unless I show a table being dropped, a record being altered or the server going down, life will move on. Apparently, this is running since 2008 and no problems have arried.
Just curious, but did you manage to test this @MarcoAurélioDeleu - if so, did you see the effects?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.