SQLi
SQLi in ORDER BY
Π’ΠΎΠ»ΡΠΊΠΎ ΠΏΠΎΡΠΌΠΎΡΡΠΈΡΠ΅, ΠΊΠ°ΠΊ ΠΊΡΡΡΠΎ Π² ΠΊΠΎΠ΄Π΅ RubyOnRails Π²ΡΠ³Π»ΡΠ΄ΠΈΡ SQLi Π² ORDER BY:
Client.order(:first_name)
Π’.Π΅. Active Record Query Interface ΠΏΠΎΡΠ»Π΅ ΡΠ°ΠΊΠΎΠ³ΠΎ Π²ΡΠ·ΠΎΠ²Π° ΠΏΠΎΡΡΡΠΎΠΈΡ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΉ Π·Π°ΠΏΡΠΎΡ:
'SELECT * FROM Clients ORDER BY #{:first_name}' , Π³Π΄Π΅ #{:first_name} - ΡΡΠΎ user input.
ΠΠ΅ΡΠΎΠ΄ .order() Π½Π΅ ΡΠΈΠ»ΡΡΡΡΠ΅Ρ ΠΈ Π½Π΅ ΡΠΊΡΠ°Π½ΠΈΡΡΠ΅Ρ ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌΡΠ΅ Π΄Π°Π½Π½ΡΠ΅. Π Π·Π½Π°ΡΠΈΡ, Π² ΡΠ°ΠΊΠΎΠΌ ΡΠ»ΡΡΠ°Π΅ ΠΌΡ Π»Π΅Π³ΠΊΠΎ ΠΌΠΎΠΆΠ΅ΠΌ ΡΠ°ΡΠΊΡΡΡΠΈΡΡ Blind SQLi c ΠΏΠΎΠ΄Π·Π°ΠΏΡΠΎΡΠΎΠΌ Π²ΡΠΎΠ΄Π΅:
ORDER BY 1,(SELECT 1 FROM SLEEP(5))-- , Π³Π΄Π΅ Π΄Π°Π»ΡΡΠ΅ ΠΌΠΎΠΆΠ½ΠΎ ΠΊΡΡΡΠΈΡΡ Boolean-based, Time-based ΠΈ ΠΏΡ.
P.S. ΠΠΎΡΠ΅ΠΌΡ ΡΡΠΎ ΠΊΡΡΡΠΎ?!
ΠΠΎΡΠΎΠΌΡ ΡΡΠΎ ΡΠ°Π·ΡΠ°Π±ΠΎΡΡΠΈΠΊΠΈ, ΠΊΠΎΠ³Π΄Π° ΠΏΠΈΡΠ΅Ρ ΠΊΠΎΠ΄, Π΄Π°ΠΆΠ΅ Π½Π΅ ΠΏΠΎΠ΄ΠΎΠ·ΡΠ΅Π²Π°Π΅Ρ, ΡΡΠΎ Π²ΡΠ·ΠΎΠ² Π²ΡΠΎΠ΄Π΅ Client.order(:first_name) ΠΏΡΠΈΠ²Π΅Π΄Π΅Ρ ΠΊ SQLi. Π’ΡΡ Π½ΠΈΡΠ΅Π³ΠΎ Π½Π΅ ΡΠ΅ΠΆΠ΅Ρ Π³Π»Π°Π·, Π½Π΅Ρ ΠΊΠΎΠ½ΠΊΠ°ΡΠ΅Π½Π°ΡΠΈΠΈ, Π½Π΅Ρ ΠΎΠΏΠ°ΡΠ½ΡΡ
ΡΡΠ½ΠΊΡΠΈΠΉ, ΠΊΠ°Π·Π°Π»ΠΎΡΡ Π±Ρ ΠΈ ΠΏΡ.
SQLi: Active Record β Rails ORM
ΠΠ°ΠΊ Π²ΡΠ³Π»ΡΠ΄ΠΈΡ Π² ΠΊΠΎΠ΄Π΅ SQLi
def index
...
name = params[:name]
@projects = Project.where("name like '" + name + "'");
...
end# Unsafe
st = ActiveRecord::Base.connection.raw_connection.prepare(
"select * from users where email = '#{email}'"
)
results = st.execute
st.close
# Safe
st = ActiveRecord::Base.connection.raw_connection.prepare(
"select * from users where email = ?"
)
results = st.execute(email)
st.close# Unsafe exists
User.exists? params[:user]
# For Example: ?user[]=1 ->
SELECT 1 AS one FROM "users" WHERE (1) LIMIT 1
# Unsage find_by
params[:id] = "admin = 't'"
User.find_by params[:id]
# from
params[:from] = "users WHERE admin = 't' OR 1=?;"
User.from(params[:from]).where(admin: false)
# group
params[:group] = "name UNION SELECT * FROM users"
User.where(:admin => false).group(params[:group])
# ...Π ΠΎΠ±ΡΠ΅ΠΌ, Π½Π°Π΄ΠΎ ΠΏΡΠΎΡΠΌΠ°ΡΡΠΈΠ²Π°ΡΡ ΠΎΠ±ΡΠ°ΡΠ΅Π½ΠΈΠ΅ ΠΊΠΎ Π²ΡΠ΅ΠΌ ΠΎΠ±ΡΠ΅ΠΊΡΠ°ΠΌ, ΡΠ½Π°ΡΠ»Π΅Π΄ΠΎΠ²Π°Π½Π½ΡΠΌ ΠΎΡ ActiveRecord::Base ΠΈ ΡΠΌΠΎΡΡΠ΅ΡΡ ΠΎΠ±ΡΠ°ΡΠ΅Π½ΠΈΠ΅ ΠΊ Π½ΠΈΠΌ ΡΠ΅ΡΠ΅Π· Π²ΡΡΡΠΎΠ΅Π½Π½ΡΠ΅ ΡΡΠ½ΠΊΡΠΈΠΈ where, find_by, exists ΠΈ ΡΠΏ
ΠΠΎΠ΄ΡΠΎΠ±Π½Π΅Π΅ Ρ ΠΏΡΠΈΠΌΠ΅ΡΠ°ΠΌΠΈ: https://rails-sqli.org/ https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet
Last updated