How inline comments bypassing SQL Injection Web Application Firewalls? - mysql

A normal UNION based SQL Injection can be blocked using the WAF, which filter keywords like UNION, SELECT. But I've that it can be bypassed by the inline comment statements of SQL such as /*!UNION*/ and /*!SELECT*/
Comment statements are meant for only reading purpose, right? If so, how a SQL server reads the injection query inside the comments and executes it?

Filtering keywords with a WAF is pointless. There is no way it could possibly succeed. Take a look at this list of ways to bypass it: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ (And I found that link in just a few seconds with google.)
If the code was written correctly, it would not be necessary.
As for your question the /*! syntax of MySQL is for MySQL specific commands. It's intended for you to be able to write portable SQL (that can run on any database) and yet still be able to send MySQL special commands.

SQL injection should not be an issue at all if you're using a database driver that supports placeholders for data. What you'd be trying to do with an after-the-fact detection is futile, like trying to eradicate a roach infestation with a ratty fly-swatter. You can't possibly get them all.
The best practice is to ensure it's impossible to inject hostile data into your queries in the first place. There are many examples available on Booby Tables that illustrate how to do this properly.

Commenting out partial query by not closing them can be used for bypassing blacklisting, removing spaces, obfuscating and determining database versions.
The one that you've mentioned is a special comment syntax for MySQL. If you put a code into this comments it's going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version. For example:
Classical Inline Comment SQL Injection Attack Samples
ID: /*!32302 10*/
ID: 10
You will get the same response if MySQL version is higher than 3.23.02

Related

Run SQL inline queries on Mediawiki

I would like to be able to run SQL queries in pages of a Mediawiki (inline queries). I am not even sure if this is possible or if we can do it only through SSH. I find information provided by MediaWiki pretty confusing for a new user.
As far as i am concerned, the SQL queries are wrapped for security reasons, so syntax will not be SQL exactly.
The questions would be:
Can we make inline SQL (or wrapped SQL) queries in Mediawiki pages? If yes, how? If not, is there a 'similar' alternative for it? (For example, creating a function with the query in it an accessing it). Please, provide examples if possible and take in account i am not familiar with Mediawiki data structure.
Let´s assume, for example, that i want to know all pages created by a users named 'user1' and 'user2'.
Also, if there is an extension which helps with this it would be worth mentioning.
I am using wampserver3.0.6_x64, apache2.4.23, mysql5.7.14 and php5.6.25.
After searching for a while, i tested 2 extensions which in conjuction can work very well for this task:
Cargo
And Page forms
Cargo allows you creating SQL tables which work independently from other MW content (meaning that you will have to introduce info in these tables using a wrapped SQL syntax, recommendedly through forms which call templates with the query).

Why should a WebSQL database be protected against SQL injection, if it can be edited with the development console?

I am developing a client-side only web application for learning purpose, using WebSQL to store and query data, and Javascript to process it. WebSQL is not mantained anymore, but the question may be valid for all client side databases.
In the proposed specification for WebSQL from the W3C, §8.5 recommends a specific syntax (parameterized queries using ? as placeholder for values) to avoid SQL injection attacks.
Given that the user is free to modify the Javascript code used in the web page, including SQL statements (or alter the database using the development Console or other browser tools) why should the program be prepared to avoid SQL injections?
I found three StackOverflow questions related to SQL injection in WebSQL, this one, this one and this answer but none of them highlights why SQL injection is a concern on client side databases.
May someone else has a clear motivation, why SQL injection is a concern on client side databases?
SQL injection makes sense when considering unwanted third party operations on the database.
A client-side web application involves:
the developer, who designs the database and SQL statements;
the user, who can modify them using browser tools;
third-party scripts, such as libraries, which cannot access the application database.
Actually, databases are specific to one origin, so that a script cannot open a database belonging to an other origin:
If no database with the given name from the origin origin exists, then create the database
(§4.1 of the WebSQL W3C specification)
A third party attack script may use the DOM of the page to fill in form inputs with attack code, which will be injected when the form is submitted (possibly by the attacker itself, calling the submit() method of the form element). To avoid this, use parameterized queries: user input will never be interpreted as SQL code.
I would say that "an SQL injection attack" is distinct from a "I'm gonna modify the program, or better yet, just write my own" attack.
Yes, you are entirely correct in observing that a user can do anything he wants to, to a database and to software source-code that winds up on his computer. But, this is not an "SQL injection."
"SQL injection," I think, represents any case where an outsider effectively modifies the database structure or content from the outside, and without directly modifying the source-code or supplying new source-code of his own.
It could well be argued, as essentially you just did, that SQL injection is much less likely to occur with regard to a database that exists only on the client computer. I think that your argument is sustained. But, I don't think that this is a successful argument for abandoning the use of parameters. I flatly recommend that one should never insert literal, externally-provided values into any SQL string, "period."

Is there a way to disable the mysql -- comment syntax?

I recently had to investigate an SQL incursion and noticed how -- is a great help for an attacker. Considering it's not a very useful instrument in many web environments, but seems to add to the damage potential of such vulnerabilities, why not disable it? I couldn't find a way, hence the question.
It is not possible to disable SQL comment parsing.
The correct solution is to ensure your application does not allow it to occur by always escaping user input, or better yet by using parametrised queries of some kind whether directly through the MySQL server API or through a user library that does it client-side.
Disabling comments may help a little, but it is very easy to do SQL injection without them, they can simply write the start of another complete query instead of commenting out the remainder of the statement.
If that is not practical for some reason, you may be able to consider the MySQL Enterprise Firewall (this is a commercial product and not open source) which allows you to setup a query whitelist:
https://www.mysql.com/products/enterprise/firewall.html

MySQL SQL/DDL parser/validator in Ruby (on Rails)

I am looking for a tool or a library for Rails to validate/parse queries that could be SQL and/or DDL. Currently, I did not find anything that I could use quickly and easily.
I found Parslet that I can use to define my own SQL/DDL language to validate SQL/DDL statements.
The goal to reach is to have a tool that we can use to validate the SQL/DDL syntax before any run on the database. For example, DDL queries are not transactional with MySQL and therefore, if one statement fails at the middle of a bigger script, we need to restore the database or run the script from the failure point (that is not really userfriendly). If we can, at least, validate the syntax, we will improve our daily work by removing a lot of "stupid" errors.
This post lists a few Ruby SQL parsers you might be interested in taking a look at. This one in particular has a Treetop grammar file you could probably use as a base for your own validations.

Is it possible to write a SQL script for both MySQL and PostgreSQL?

I'd like to write a single SQL script that will run on a default installation of either MySQL or PostgreSQL (versions 5.5 and 9.0, respectively). Is this possible?
I can almost do it by adding SET SESSION sql_mode='ANSI'; to the start of the script and using standard ANSI queries, but that line isn't valid for PostgreSQL. I could tell PostgreSQL to continue on errors, but It'd be nice to have a script that runs without error.
Try using conditional comments:
/*! SET SESSION sql_mode='ANSI'; */
PostgreSQL will ignore it, MySQL will run it. For more information see the docs.
Update: If you want to include commands that are run only on PostgreSQL but not on MySQL, you can exploit the fact that PostgreSQL supports nested comments, and MySQL doesn't. The following example shows how this could be used:
/*! SELECT 'MySQL' rdbms_type; */
/*/**/-- */ SELECT 'postgres' AS rdbms_type;
But this would probably make the file very difficult to read.
Is it possible to write a SQL script for both MySQL and PostgreSQL?
Yes.
Next question, please!
...
Okay, in all seriousness, it's totally doable, but you have to be aware of the things that each does differently. For example, if you need to use a bytea in PG, but a BLOB in MySQL, you're going to have a really fun time getting the encoding/escaping correct. Then there's things like fulltext searching. PG has it built in, MySQL has it built in to only one table type (MyISAM, the sucky one), and the syntax is totally different. And this doesn't even touch character sets and collations.
If you limit yourself to simple CRUD operations, you're probably good to go. Heck, if you've done your job right, you can also probably use the same exact code to talk to SQLite and MSSQL (when switched to ANSI mode).
Once you even get moderately complex, your code is going to need to at least be aware of the underlying database to work around the small behavior and syntax differences. The important part is that the majority of your queries can be shared between underlying databases without any modification whatsoever if you construct them properly.
I think you are in for a one-by-one feature comparison. I didn't read the whole link but I think it might be usefull in your quest.
http://troels.arvin.dk/db/rdbms/
Set the mode in the server not in the script:
You can set the default SQL mode by starting mysqld with the --sql-mode="modes" option, or by using sql-mode="modes" in my.cnf (Unix operating systems) or my.ini (Windows).
http://dev.mysql.com/doc/refman/5.5/en/server-sql-mode.html
Obviously in the script your going to have use the lowest common dominator of features that both accept. MySQL is also known to have the most standard compliant parser but that does not mean it actually mean it will do anything (Good way to get Gotcha'd since the scripts will both work but behaviour may be totally different). Postgresql is not 'ansi' compliant either. It may come the closest but it has plenty of things unique to itself. Does not seem like an ideal way.
ORM's work hard at doing this same kind of thing - taking the pain out of it.
Adding
SET SESSION sql_mode='ANSI';
Without the conditions (?) solves the ulogin php library install problem.
Also helpful to add use database; if you already created it on the command line.