Stories
Slash Boxes
Comments

NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

use Perl

All the Perl that's Practical to Extract and Report

use Perl Log In

[ Create a new account ]

Ovid (2709)

Ovid
(email not shown publicly)
http://publius-ovidius.livejournal.com/
AOL IM: ovidperl (Add Buddy, Send Message)

Stuff with the Perl Foundation. A couple of patches in the Perl core. A few CPAN modules. That about sums it up.

Journal of Ovid (2709)

Monday August 20, 2007

08:11 AM

Finding SQL Injection Attacks with 'ack'

[ #34160 ]

We are evaluating a third party application. I just ran the following command:

$ ack -i '\b(?:select|update|insert|delete)\b.*\$' \ --php include |wc -l 307

A cursory scan indicates that many of those results are, in fact, very dodgy SQL embedding variables directly in SQL rather than using placeholders. Hmm, how many files is that?

$ ack -il '\b(?:select|update|insert|delete)\b.*\$' \ --php include |wc -l 92

Needless to say, I don't feel terribly comfortable with this application, but I love ack. This isn't the final nail in the coffin for this application as it's possible that all of these variables are well-sanitized, by for crying out loud, use your frickin' placeholders in SQL! Of course, with 92 potentially vulnerable files, trying to verify that everything is safe seems more trouble than it's worth.

Update: we're not going to use this software. Using this as a starting point, we started digging into the code. One of the final nails was this bit of code (munged to hide the identify of the folks we'll be contacting):

function createInsertForSQL($columns) { $values = ''; foreach ( $columns as $column ) { if ( $values != '' ) { $values .= ', '; } $values .= $column; } return $values; }

I see at least two bugs there, both of which could be very serious.

List all Journal entries

Finding SQL Injection Attacks with 'ack' More | Login | Reply

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Without JavaScript enabled, you might want to use the classic discussion system instead. If you login, you can remember this preference.

Yay Perl (Score:2)

by petdance (2468)

There's something to having real honest-to-Larry Perl regexes, isn't there? You could also use -o to output the regexes that match, if you want, so you could have it spew the offending code.

--
--
xoa
Ack rocks but... (Score:1)

by stu42j (6348)

I love ack too but I still like the idea of a grep replacement that understands Perl. Are you going to continue with pgrep (or whatever, I like 'grepl')? Or perhaps it could be an optional add-on for ack?
- Re: (Score:2)
  
  by Ovid (2709)
  
  I will continue working on it. I do like the grepl name. And a cursory Google search show that it appears to be available :)
  
  As for working with ack. you'd have to talk to Andy about that. I've made it pretty extensible, but it's really his call if he wants to find a way to integrate it.
  - Re: (Score:1)
    
    by jjore (6662)
    
    I'm hoping you change pgrep's name to ppgrep or ppigrep because pgrep is already taken by the grep from the "unix tools in perl" project and that's got several years of precedence.
    - Re: (Score:2)
      
      by Ovid (2709)
      
      Hated ppgrep and ppigrep won't make much sense if I ever update this for Perl 6 (which I would love to do, years from now). However, grepl (grep + pl) has been suggested and I love it. It makes perfect sense.

Get More Comments

Reply

use Perl

All the Perl that's Practical to Extract and Report

Navigation

use Perl Log In

Ovid (2709)

Journal of Ovid (2709)

Finding SQL Injection Attacks with 'ack'

Finding SQL Injection Attacks with 'ack' 5 Comments More | Login | Reply /

Please Log In to Continue

Yay Perl (Score:2)

Ack rocks but... (Score:1)

Re: (Score:2)

Re: (Score:1)

Re: (Score:2)