The path to an SQL-injection in Zend Framework
Maybe a little loud the title of the article, but the question raised is this.
/ >
If you follow all the rules, i.e. to use internal mechanisms Zend, prepare the parameters in the methods — at the moment there is no information about the possibility of sql injection. We are talking about similar constructions:
the
One way or another encountered in practice.
What is salt? That even when applying parameters to these methods without any training of internal mechanisms still prepare them. But not all (some partially) — about it and speech.
Even though we have the source code of this library, we will consider this subject as a "black box", will be clearer and clearer. Specifically, the MySQL adapter, class Zend_Db_Select (the same was tested on PgSQL)
In order to administer an injection in Zend, we need to close previous backward quotation mark (for example, in the case of syntax from = select * from `table`), or apostrophe — (where id = '1'), as the Zend follows the rules and when specified, opens the necessary "framing". In the first case, the transfer of the input tab'ble we must be ta`ble, second: at the entrance 1'2, the output 1"2.
Again, we are talking about "raw" data is sent to the method.
We have three possible case:
Let's go in order, from the order in the SQL syntax.
Code:
the
the
the
the
the
the
the
There is not even a FQ — casts (to int)
the
Same here ->limitPage(), same
$db->select + string
the
FQ: ->from ->group ->order ->limit>limitPage
PQ: ->join ->joinUsing
NQ: ->where ->having, ->union
In practice the filtered data can be found for example in ajax handlers.
P. S. among other things, this someone will get him a job at CTF.
UPD: Point 4: the Article is more for specialists who can meet the application in Zend.
Article based on information from habrahabr.ru
/ >
first Time
If you follow all the rules, i.e. to use internal mechanisms Zend, prepare the parameters in the methods — at the moment there is no information about the possibility of sql injection. We are talking about similar constructions:
the
$select- > order($value);
One way or another encountered in practice.
second
What is salt? That even when applying parameters to these methods without any training of internal mechanisms still prepare them. But not all (some partially) — about it and speech.
Even though we have the source code of this library, we will consider this subject as a "black box", will be clearer and clearer. Specifically, the MySQL adapter, class Zend_Db_Select (the same was tested on PgSQL)
third
In order to administer an injection in Zend, we need to close previous backward quotation mark (for example, in the case of syntax from = select * from `table`), or apostrophe — (where id = '1'), as the Zend follows the rules and when specified, opens the necessary "framing". In the first case, the transfer of the input tab'ble we must be ta`ble, second: at the entrance 1'2, the output 1"2.
Again, we are talking about "raw" data is sent to the method.
We have three possible case:
- FQ — all the parameters are prepared (fully quoted)
ZFC — data is not prepared, to your tables, "go", as it gave (no default)
PQ — some parameters are processed, some are not (partially quoted)
Let's go in order, from the order in the SQL syntax.
1) ->from — FQ
Code:
the
$table = "wp_use'rs";
$select- > from($table);
[queryString] = > SELECT `wp_use`rs`.* FROM `wp_use`rs`
2) ->join PQ
the
$table1 = 'tab'le1';
$table2 = 'tab'le2';
$key = 'I d';
$data = 'da ta';
$select = $db- > select ()- > from($table1)- > join($table2, $table1.'.'.$key.' = '.$table2.'.'.$key, array($data));
[queryString] = > SELECT `tab`le1`.*, `tab`le2`.`da`ta` FROM `tab`le1` INNER JOIN `tab`le2` ON tab'le1.I d = tab'le2.I d
3) - > joinUsing PQ
the
$table1 = 'tab'le1';
$table2 = 'tab'le2';
$key = 'I d';
$column = 'C ol\'u;m"n';
$select = $db- > select ()- > from($table1)- > joinUsing($table2, $column);
[queryString] = > SELECT `tab`le1`.*, `tab`le2`.* FROM `tab`le1` INNER JOIN `tab`le2` ON `the tab`le2`.C ol u m"n = `tab`le1`.C ol u m"n
4) ->where ZFC
the
$select- > from($table);
$value = "1)2'3 --";
$select- > where($value);
[queryString] = > SELECT `wp_users`.* FROM `wp_users` WHERE (1)2'3 --)
5) ->group — FQ
the
$table = "wp_users";
$value = 'I d';
$select = $db- > select()->from($table)- > group($value);
[queryString] = > SELECT `wp_users`.* FROM `wp_users` GROUP BY `i`d`
6) ->having ZFC
the
$table = "wp_users";
$value = 'some_count > 0); hello habr -- 10';
$select = $db- > select()->from($table)- > having($value);
[queryString] = > SELECT `wp_users`.* FROM `wp_users` HAVING (some_count > 0); hello habr -- 10)
7) ->order — FQ
the
$table = "wp_users";
$value = I d';
$select = $db- > select()->from($table)- > order($value);
[queryString] = > SELECT `wp_users`.* FROM `wp_users` ORDER BY `i`d` ASC
8) ->limit — FQ
There is not even a FQ — casts (to int)
the
$table = "wp_users";
$limit1 = '1; hello -- ';
$limit2 = '2; hello -- ';
$select = $db- > select()->from($table)- > limit($limit1, $limit2);
[queryString] = > SELECT `wp_users`.* FROM `wp_users` LIMIT 1 OFFSET 2
Same here ->limitPage(), same
9) ->union ZFC
$db->select + string
the
$table = "wp_users";
$select = $db- > select()->from($table);
$select2 = "select * from ta\"b le`2";
$select3 = $db- > select ()- > union(array($select, $select2));
$db->query($select3);
[queryString] = > SELECT `wp_users`.* FROM `wp_users` UNION select * from ta"le b`2
Summary information
FQ: ->from ->group ->order ->limit>limitPage
PQ: ->join ->joinUsing
NQ: ->where ->having, ->union
In practice the filtered data can be found for example in ajax handlers.
P. S. among other things, this someone will get him a job at CTF.
UPD: Point 4: the Article is more for specialists who can meet the application in Zend.
Комментарии
Отправить комментарий