Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Have I found an SQL injection bug in SQL server?

So I was playing with my MS SQL Server 2008 app to see how good it is protected against SQL injections. The app lets users to create views in the database.

Now consider the following:

create view dbo.[]]; drop database foo--] as select 1 as [hi!]

This creates a view with a name of ]; drop database foo--. It is valid and you can select from it (returns the number 1, obviously).

Strange thing #1:

In SQL Management Studio, the query SELECT [hi!] FROM [dbo].[]]; drop database foo--] is red-underlined as incorrect, claiming that the object name is not valid. Nevertheless, it executes and returns the 1.

Strange thing #2:

Call to OBJECT_ID(']; drop database foo--') yields NULL (which means the object does not exist), but the following query returns information about the view properly:

select * from sys.objects where name = ']; drop database foo--';

Are those bugs or am I missing a point?

like image 496
GSerg Avatar asked Nov 29 '22 11:11

GSerg


1 Answers

You're missing the point. SQL Server can't protect itself against SQL injection - if somebody has direct access to your database then you've already been pwned. It's your application that needs to protect against SQL injection by parameterizing queries, and preventing these kinds of statements from ever making it to the database.

like image 111
Aaronaught Avatar answered Dec 11 '22 11:12

Aaronaught