I found a SQL injection error on a SQL server?

Question

I found a SQL injection error on a SQL server?

So, I played with my MS SQL Server 2008 to find out how it is protected against SQL injection. The application allows users to create views in the database.

Now consider the following:

create view dbo.[]]; drop database foo--] as select 1 as [hi!]

This creates a view with the name ]; drop database foo-- ]; drop database foo-- . It is valid and you can select it (returns the number 1, obviously).

Strange thing # 1:

In SQL Management Studio, the query SELECT [hi!] FROM [dbo].[]]; drop database foo--] SELECT [hi!] FROM [dbo].[]]; drop database foo--] red-underlined as invalid, stating that the object name is not valid. However, it executes and returns 1.

Strange thing # 2:

Calling OBJECT_ID(']; drop database foo--') yields NULL (which means the object does not exist), but the following query returns the view information properly:

 select * from sys.objects where name = ']; drop database foo--';

Are these errors or not enough points?

+4

sql-injection sql-server-2008

GSerg Feb 25 '10 at 17:14

source share

4 answers

You are lacking in meaning. SQL Server cannot protect itself from SQL injection - if someone has direct access to your database, then you were already pwned. This is your application that needs to be protected from SQL injection by parameterizing queries and preventing such statements from ever made in the database.

+16

Aaronaught Feb 25 '10 at 17:16

source share

To, like your key, enter your car and then say, “Hey, there’s a security hole, I’m allowed to steal the radio”

0

Jack marchetti Feb 25 '10 at 17:20

source share

The problem seems to be that you are invoking the SQL injection yourself, accepting user input and using it as the text of the SQL expression.

The fact that you "correctly escaped"] (by replacing]]) really does not matter - you allow user input to be used as anything else, but a value by definition means that you allow SQL injection.

0

Rolling bouman Feb 25 '10 at 17:25

source share

Remus Rusanu · Accepted Answer · 2010-02-25T17:23:05+0000

1: this means that the intellisense parser does not match several details of the SQL syntax. Although this may be an intellisense error, it is not an injection vector.
2: object_id () accepts multi-line names, so it needs a quoted name if it is ambiguous: select object_id('[]]; drop database foo--]')

I found a SQL injection error on a SQL server?

1: this means that the intellisense parser does not match several details of the SQL syntax. Although this may be an intellisense error, it is not an injection vector.

2: object_id () accepts multi-line names, so it needs a quoted name if it is ambiguous: `select object_id('[]]; drop database foo--]')`

More articles:

I found a SQL injection error on a SQL server?

1: this means that the intellisense parser does not match several details of the SQL syntax. Although this may be an intellisense error, it is not an injection vector.

2: object_id () accepts multi-line names, so it needs a quoted name if it is ambiguous: select object_id('[]]; drop database foo--]')

More articles:

2: object_id () accepts multi-line names, so it needs a quoted name if it is ambiguous: `select object_id('[]]; drop database foo--]')`