Tuesday, August 5, 2014

SQL Injection again

Here is the minimal form

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
    <p>Enter your old email address
        <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
    </p>
        <p>
            Enter your new email address
            <asp:TextBox ID="TextBox2" runat="server"></asp:TextBox>
        </p>
        <asp:Button ID="Button1" runat="server" Text="Button" OnClick="Button1_Click" />
        <p>
            <asp:Label ID="Label1" runat="server" Text="Label"></asp:Label>
        </p>
    </div>
    </form>
</body>
</html>

Here is the code behind the form

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        SqlConnection connect = new SqlConnection
            ("Data source=localhost;initial catalog=Automart;integrated security=true");
        string sql = "Update Customer.RegisteredCustomerb "
            + "Set email= '" + TextBox2.Text + "' Where email ='" + TextBox1.Text +"'";
        SqlCommand cmd = new SqlCommand(sql, connect);
        connect.Open();
        cmd.ExecuteNonQuery();
        connect.Close();


    }
}

One mistake here is to concatenate the text boxes directly into the SQL Statement. Another big mistake is to connect with Admin Permissions. (The integrated security has admin permissions if the current windows user has admin permissions.) The malicious user can enter what they want as a value in the update statement and use -- to comment out any criteria or SQL that follows. in this case the user enters GotYou@hack.com ' -- to cancel out the criteria and set all the email addresses to GotYou@hack.com. The single quote before the dashes is necessary to complete the set statemnent

Here is picture of it running:

Here is an image of the results in SQL Server:

No comments:

Post a Comment