45
iran
20d

This fucking stupid asshole developer, wrote every single SQL execution with string formatting. Made me a full sleepless night fixing this shit. Isn’t this a classical SQL injection sample?

Comments
  • 1
    Sql injection is only possible if there is unquoted user input in the query. The fields being submitted clientside seem to be mostly quoted here chief.
  • 7
    @nitwhiz Not true.

    netikras@netikras-xps:~$ python3
    Python 3.6.8 (default, Oct 7 2019, 12:59:55)
    [GCC 8.3.0] on linux
    Type "help", "copyright", "credits" or "license" for more information.
    >>> a="""SELECT * from USER where USERNAME='{uname}' AND PWHASH='{hash}'""".format(uname="myuname';drop table user;--", hash="deadbeef") ; a
    "SELECT * from USER where USERNAME='myuname';drop table user;--' AND PWHASH='deadbeef'"
    >>>

    This example IS a subject for a SQLi attack.
  • 5
    @nitwhiz wow, seems you are not worried enough. God bless your employers.
  • 0
    That is some unconventional use of CTE.
  • 0
    @netikras I'm sorry but I'd totally say that's a problem on pythons side, as this doesn't work for me in my php environment.^^
  • 0
    Holy shit that's bad.
    I'm assuming that the comment body is not sanitized. If it isn't, that indeed is an SQL Injection.
  • 2
    Yup, unless those data['body'] and data['stream_sec'] are properly escaped, it is a textbook SQL injection vulnerability.

    @nitwhiz that's not a python issue, you can totally have the same sort of issue in PHP, or any other language for that matter. Every language and every DB as ways to deal with that securely. Apparently the dev in question didn't bother to find out what he should use.
  • 3
    @nitwhiz no it's not. If you can't dance you should not blame your testies for getting in a way.

    Python's .format does one thing. Php's -- a bit different. There's a reason these languages are called differen't names, ain't it? After all I'd be pissed if .format did anything more but replace placeholders. It's a violation of SRP.

    Now back to the topic. A prepared statement should be used in cases like OP's. They completely solve this problem and you still get to use placeholders.
  • 1
    @netikras I just saw it, I apologize @iran, I took escaped quotes for granted
  • 0
    I’m not that into python, but I’m pretty sure that there is a ORM lib for that, so you shouln’t need to worry about SQLi, should you ?
  • 1
    How would you write SQL queries without an ORM?

    Just asking, rookie here.
  • 0
    @nitwhiz bullshit. Quoting only helps if the database drivers quote function is used. That one escapes ' for example and b other nastyness. I hope you go ahead and did your codebase 😅.
    Your php codebase that is. Use PDO or some other layer that helps safely insert your variable data. Using it in sprintf or plain interpolation/concatenation will fuckups you up in any language.
  • 1
    class ReplyToComment haha

    Also, gotta love DB access and HTTP response stuff in the same method, fuck separation.
  • 2
    THE HORROR!

    Orm's, F strings... has he not heard of such things?!
  • 1
    Wait... I've just noticed the returns...

    They're not returning anything. Ever. He's constructing a response then just... not using it?
  • 1
    @Charon92 in this case actually return means to stop here. Falcon does not use function return, it uses it’s response and req object.
    Classic OO shit.
  • 1
    @iran

    Ahhh I was wondering if it was just Falcon.

    That's so weird, I get so lost when functions don't return anything.
  • 0
    Its possible to sql inject even prepared statements in some cases.
Add Comment