We had a system interface between a public web server and a SQL database that 
ran pre-formed SQL commands.

The table was specified, the variables were typed, the output was processed by 
XSLT, etc. 

The public server called a function that included the variables and got back 
whatever the XSLT produced. Each variable was checked to make sure it conformed 
to the type of data that variable could contain. Integer, Float, String, 
Boolean, etc. Strings were not allowed to have quotes in them, and some strings 
were optionally length limited.

We had a SQL table with these canned queries and an internal interface for 
building them. Each command also had a sample output so that if someone was 
using the command as part of a test, it would reply with the desired test data 
and not actually affect the SQL database.

SQL injection is just amazing to watch. Once saw a demonstration of a bank in 
India. In the login, they added SQL to the password field and got back a list 
of all the tables in the database. Very scary.

Kee

> On Jul 15, 2018, at 2:31 PM, J. Landman Gay via use-livecode 
> <use-livecode@lists.runrev.com> wrote:
> 
> I suspect the paranoid among us already know this, but I didn't realize it 
> was quite so easy:
> 
> https://null-byte.wonderhowto.com/how-to/use-command-injection-pop-reverse-shell-web-server-0185760/
> 
> -- 
> Jacqueline Landman Gay         |     jac...@hyperactivesw.com
> HyperActive Software           |     http://www.hyperactivesw.com
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Reply via email to