Logical vulnerabilities in compiling SQL queries with LIKE
When user data enters the query under the LIKE operator, you should be extremely careful.
The fact is that none of the filtering functions, including mysql_real_escape_string , and even the prepared statements will protect against logical errors associated with wildcard characters.
In our practice of web application auditing, this error occurs approximately in every fifth web application vulnerable to SQL injections (19.3%).
The LIKE operator is used to search for inaccurate values, string types.
Operator syntax allows wildcard semantics to be used, where
% replaces the classic * - sequence of any characters
_ replaces the classic? - any single character
')
A common mistake of developers is that the% and _ characters are not filtered by the user data in the SQL query. Yes, violate the syntax of the request, that is, perform the introduction of operators, in this case it is impossible, but the logic of the web application may suffer.
A common misconception is also to assume that vulnerability is stopped by a minimum long string.
SQL query
It works exactly the same as
But even if there is no logic error in the configuration, you should not skip a wildcard where it is clearly not required. After all, everyone knows how to slow down requests with LIKE, and with a full wildcard in LIKE they slow down more.
This can be used for DoS, DDoS, or getting information from the server by provoking error messages (such as the expiration of max_execution_time)
The fact is that none of the filtering functions, including mysql_real_escape_string , and even the prepared statements will protect against logical errors associated with wildcard characters.
In our practice of web application auditing, this error occurs approximately in every fifth web application vulnerable to SQL injections (19.3%).
The LIKE operator is used to search for inaccurate values, string types.
Operator syntax allows wildcard semantics to be used, where
% replaces the classic * - sequence of any characters
_ replaces the classic? - any single character
')
A common mistake of developers is that the% and _ characters are not filtered by the user data in the SQL query. Yes, violate the syntax of the request, that is, perform the introduction of operators, in this case it is impossible, but the logic of the web application may suffer.
A common misconception is also to assume that vulnerability is stopped by a minimum long string.
SQL query
SELECT asd FROM t1 WHERE name LIKE '%%%%%%%%%%%%%%%%%%%%%%%%%%%'It works exactly the same as
SELECT asd FROM t1 WHERE name LIKE '%%'But even if there is no logic error in the configuration, you should not skip a wildcard where it is clearly not required. After all, everyone knows how to slow down requests with LIKE, and with a full wildcard in LIKE they slow down more.
This can be used for DoS, DDoS, or getting information from the server by provoking error messages (such as the expiration of max_execution_time)
Source: https://habr.com/ru/post/142606/
All Articles