blog.area23.at - a simple url encoder/decoder

 a simple url encoder/decoder
 http://blog.area23.at

Labels

Wirtschaft (116) Österreich (91) Pressefreiheit (65) IT (47) Staatsschulden (29) code (25) EZB (19) Pensionssystem (12) France (1) music (1)

2012-05-16

Simple Html Injection Detection for MS-SQL

A very simple prototype how html injection detection can be made on Microsoft SQLServer.
Please notice, that a full content injection detection is much more complex...

If Exists(Select Top 1 object_id 
  From tempdb.sys.tables Where name = '##InjWatch'
)
  Delete From ##InjWatch
Else
  Create Table ##InjWatch(
    ctext varchar(max), tab varchar(768), col varchar(768)
  );
GO 

Set TRANSACTION ISOLATION LEVEL read uncommitted;

Declare
 CheckHtmlInjectCursor Cursor FAST_FORWARD READ_ONLY For 
  Select
    'Cast([' + c.name + '] As nvarchar(Max))' As c_cast,
    c.name As c_name, '' +
    s.name + '.[' +T.name + ']' As sT_name
  From sys.tables T
  Inner Join sys.columns c On c.object_id = T.object_id
    And c.max_length > 16
    And c.system_type_id In (
      Select system_type_id From sys.types Where name In (     
      -- TODO: check XML, 'user defined' string & binary types :(
        'varchar''nvarchar''char''nchar''text''ntext'   
      )
    ) 
  Inner Join sys.schemas s On s.schema_id = T.schema_id

Declare @c_cast varchar(1024),
        @c_name varchar(768), @sT_name varchar(768)
Open CheckHtmlInjectCursor
  Fetch Next From CheckHtmlInjectCursor 
    Into @c_cast, @c_name, @sT_name

  While
 (@@FETCH_STATUS = 0)
  Begin
    Declare @execSQL nvarchar(max
    Set @execSQL = 
    'Insert Into ##InjWatch(ctext, tab, col) ' + 
    'Select ' + @c_cast + ' As ctext, ''' + 
                @sT_name + ''' As tab, ''' +
                @c_name + ''' As col ' + 
    'From   ' + @sT_name + ' ' 
    'Where (' + @c_cast + ' Like ''%<%'' And + 
                @c_cast + Like  ''%>%'') ' + 
    '  Or   ' + @c_cast + Like  ''%script:%''+ 
    '  Or   ' + @c_cast + ' Like ''%://%''' + 
    '  Or   ' + @c_cast + ' Like ''%href%''' 
    '  Or   ' + @c_cast + ' Like ''%return%'''   

    Execute sp_executesql @execSQL; 
  
    Fetch Next From CheckHtmlInjectCursor 
      Into @c_cast, @c_name, @sT_name 
  End 

Close CheckHtmlInjectCursor 
Deallocate CheckHtmlInjectCursor 


Select Distinct * From ##InjWatch 
GO

Mysql Sample:
/* CREATE TEMPORARY TABLE Test.HtmlSQLInjection (
 Content Varchar(1024) NULL
    , TableName VARCHAR(512) NOT NULL
    , ColumnName VARCHAR(512) NOT NULL
    , SchemaName VARCHAR(512) NOT NULL
); */


USE test;
DELIMITER $$
DROP PROCEDURE IF EXISTS  cursor_proc $$
CREATE PROCEDURE cursor_proc()
BEGIN

DECLARE v_done INTEGER DEFAULT 0;
DECLARE v_s VARCHAR(512) DEFAULT '';
DECLARE v_t VARCHAR(512) DEFAULT '';
DECLARE v_c VARCHAR(512) DEFAULT '';
DECLARE v_queryString VARCHAR(1024) DEFAULT '';
DECLARE CheckHtmlInjectCursor CURSOR FOR 
 select  
  information_schema.TABLES.TABLE_SCHEMA, 
        information_schema.TABLES.TABLE_NAME,
        information_schema.COLUMNS.COLUMN_NAME
 From information_schema.TABLES CALL `test`.`cursor_proc`();
CALL `test`.`cursor_proc`();

 inner join information_schema.COLUMNS 
  on information_schema.TABLES.TABLE_NAME = information_schema.COLUMNS.TABLE_NAME
where information_schema.TABLES.TABLE_SCHEMA = information_schema.COLUMNS.TABLE_SCHEMA
 and information_schema.COLUMNS.DATA_TYPE in 
 ('char', 'varchar', 'binary', 'varbinary', 'blob', 'longblob', 'text', 'mediumtext', 'longtext')
    and information_schema.COLUMNS.CHARACTER_MAXIMUM_LENGTH > 15;

DECLARE CONTINUE HANDLER FOR NOT FOUND SET v_done = 1;

OPEN CheckHtmlInjectCursor;

read_loop: LOOP
  FETCH CheckHtmlInjectCursor INTO v_s, v_t, v_c;
 IF v_done = 1 THEN
      LEAVE read_loop;
      CLOSE CheckHtmlInjectCursor;
 END IF;
    SELECT v_c,  v_s, v_t;
    
   'SELECT ', v_c, ' FROM ', v_s, '.', v_t, '.', v_c, ' WHERE ', v_c, ' like ''%'' '));
    SET @queryString = (
  SELECT CONCAT(
   'SELECT ', v_c, '.',  v_s, '.', v_t, ' FROM ', v_t));
 PREPARE stmt FROM @queryString;
 EXECUTE stmt;
 DEALLOCATE PREPARE stmt; 
 */

END LOOP read_loop;
/* CLOSE CheckHtmlInjectCursor; */

END $$
 
DELIMITER ;


Keine Kommentare:

Kommentar veröffentlichen