Tuesday, January 23, 2007

SQL Injection and MyODBC

Recently I was attempting to exploit what have should have been a very vanilla SQL Injection attack. The webserver was Microsoft IIS6 serving ASP pages. This server was using MySQL's MyODBC Driver to allow this application to connect to a backend MySQL database. However, everything I tried only yielded an error message similiar to:



Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 3.51 Driver][mysqld-5.0.26-standard-log]You have an error in your SQL sytanx; check the manual that corresponds to your MySQL server version for the right sytanx near ';DROP table userinfo' at line 1

/test/test.asp, line 192


Having access to the asp file, I could see that the SQL Query was basically:

SELECT * FROM userinfo where user = Request.QueryString('user_id');

Normally it would be trivial to modify the HTTP Request to be:

/test.asp?user_id=bob%3BDROP%20table%20userinfo%20--

So that the SQL query would effectively become:

SELECT * FROM userinfo where user ='bob'; DROP TABLE userinfo; --


However, for some reason I could not get this to behave as expected. I was able to append other SQL syntax (AND, OR, etc) and get the desired results, but I was not able to DROP that particular table. After much digging, I ran across the following email thread:

gmane.comp.db.mysql.odbc/2003-06/msg00142.html

As it turns out the MyODBC does NOT support multiple SQL commands. While this seems to be a minor irritant for the developer in the email thread, it does provide the unintentional benefit of preventing alot of SQL Injection attacks..

There appears to be a "bug" ticket open with MySQL on this, and it appears that this could potentially be addressed in the upcoming release of MyODBC. In the meantime, for all of you web application security testers out there, maybe this can conserve some of your valuable testing time.

Labels:

Wednesday, January 03, 2007

Largest Ruby on Rails Site to Date

For those of you that are not aware, I am the Director of Security Operations for Revolution Health, founded by the likes of AOL Co-Founder Steve Case, Colin Powell, and Carly Fiorina among others. The main goal of this site is provide an all encompasing health care portal. There are forumns, blogs, Doctor Directories and Ratings, etc.. While this site was developed using a wide range of technologies, it is majority based on the relatively new web framework, Ruby on Rails. Our site is currently the largest Ruby on Rails project to date and presents its own unique set of security challenges.

Because of this, you can expect to see alot more RoR focused posts on this blog.

While the site is still in "Preview Mode", you are welcome to sign up and have a sneek-peek.

* http://www.revolutionhealth.com/preview?code=IHoUuq3GYg

Please let me know what you think.