The path to an SQL-injection in Zend Framework

Maybe a little loud the title of the article, but the question raised is this.

/ >

first Time


If you follow all the rules, i.e. to use internal mechanisms Zend, prepare the parameters in the methods — at the moment there is no information about the possibility of sql injection. We are talking about similar constructions:
the
$select- > order($value);

One way or another encountered in practice.

second


What is salt? That even when applying parameters to these methods without any training of internal mechanisms still prepare them. But not all (some partially) — about it and speech.

Even though we have the source code of this library, we will consider this subject as a "black box", will be clearer and clearer. Specifically, the MySQL adapter, class Zend_Db_Select (the same was tested on PgSQL)

third


In order to administer an injection in Zend, we need to close previous backward quotation mark (for example, in the case of syntax from = select * from `table`), or apostrophe — (where id = '1'), as the Zend follows the rules and when specified, opens the necessary "framing". In the first case, the transfer of the input tab'ble we must be ta`ble, second: at the entrance 1'2, the output 1"2.
Again, we are talking about "raw" data is sent to the method.

We have three possible case:

    - FQ — all the parameters are prepared (fully quoted)

    ZFC — data is not prepared, to your tables, "go", as it gave (no default)

    PQ — some parameters are processed, some are not (partially quoted)



Let's go in order, from the order in the SQL syntax.

1) ->from — FQ

Code:
the
$table = "wp_use'rs";
$select- > from($table);

[queryString] = > SELECT `wp_use`rs`.* FROM `wp_use`rs`

2) ->join PQ

the
$table1 = 'tab'le1';
$table2 = 'tab'le2';
$key = 'I d';
$data = 'da ta';
$select = $db- > select ()- > from($table1)- > join($table2, $table1.'.'.$key.' = '.$table2.'.'.$key, array($data));

[queryString] = > SELECT `tab`le1`.*, `tab`le2`.`da`ta` FROM `tab`le1` INNER JOIN `tab`le2` ON tab'le1.I d = tab'le2.I d

3) - > joinUsing PQ

the
$table1 = 'tab'le1';
$table2 = 'tab'le2';
$key = 'I d';
$column = 'C ol\'u;m"n';

$select = $db- > select ()- > from($table1)- > joinUsing($table2, $column);

[queryString] = > SELECT `tab`le1`.*, `tab`le2`.* FROM `tab`le1` INNER JOIN `tab`le2` ON `the tab`le2`.C ol u m"n = `tab`le1`.C ol u m"n

4) ->where ZFC

the
$select- > from($table);
$value = "1)2'3 --";
$select- > where($value);

[queryString] = > SELECT `wp_users`.* FROM `wp_users` WHERE (1)2'3 --)

5) ->group — FQ

the
$table = "wp_users";
$value = 'I d';
$select = $db- > select()->from($table)- > group($value);

[queryString] = > SELECT `wp_users`.* FROM `wp_users` GROUP BY `i`d`

6) ->having ZFC

the
$table = "wp_users";
$value = 'some_count > 0); hello habr -- 10';
$select = $db- > select()->from($table)- > having($value);

[queryString] = > SELECT `wp_users`.* FROM `wp_users` HAVING (some_count > 0); hello habr -- 10)

7) ->order — FQ

the
$table = "wp_users";
$value = I d';
$select = $db- > select()->from($table)- > order($value);

[queryString] = > SELECT `wp_users`.* FROM `wp_users` ORDER BY `i`d` ASC

8) ->limit — FQ

There is not even a FQ — casts (to int)
the
$table = "wp_users";
$limit1 = '1; hello -- ';
$limit2 = '2; hello -- ';
$select = $db- > select()->from($table)- > limit($limit1, $limit2);


[queryString] = > SELECT `wp_users`.* FROM `wp_users` LIMIT 1 OFFSET 2
Same here ->limitPage(), same

9) ->union ZFC

$db->select + string
the
$table = "wp_users";
$select = $db- > select()->from($table);
$select2 = "select * from ta\"b le`2";
$select3 = $db- > select ()- > union(array($select, $select2));
$db->query($select3);

[queryString] = > SELECT `wp_users`.* FROM `wp_users` UNION select * from ta"le b`2

Summary information


FQ: ->from ->group ->order ->limit>limitPage
PQ: ->join ->joinUsing
NQ: ->where ->having, ->union

In practice the filtered data can be found for example in ajax handlers.

P. S. among other things, this someone will get him a job at CTF.

UPD: Point 4: the Article is more for specialists who can meet the application in Zend.
Article based on information from habrahabr.ru

Комментарии

Популярные сообщения из этого блога

March Habrameeting in Kiev

PostgreSQL load testing using JMeter, Yandex.Tank and Overload

Monitoring PostgreSQL with Zabbix