Difference between revisions of "Comment Injection Attack"
|Line 2:||Line 2:|
Comments injected into an application through input can be used to compromise a system.
Comments injected into an application through input can be used to compromise a system. data is parsed, an injected/malformed comment may cause the process to take unexpected actions that result in an attack.
Revision as of 11:58, 5 August 2008
Comments injected into an application through input can be used to compromise a system. As data is parsed, an injected/malformed comment may cause the process to take unexpected actions that result in an attack.
The attacker may conduct this kind of attack with different programming or scripting languages:
If the attacker has possibility to manipulate queries, which are sended to the database, then he's able to inject terminating character too. The aftermath is that the interpretation of the query will be stoped at the terminating character:
SELECT body FROM items WHERE id = $ID limit 1;
Lets assume that the attacker has sended via GET method the following data stored in variable $ID:
"1 or 1=1; #"
In the end the final query form is:
SELECT body FROM items WHERE id = 1 or 1=1; # limit 1;
After # character everything will be discarded by the database including "limit 1". That's why only the last column "body" with all its records will be recived as a query response.
Sequences that may be used to comment queries:
- MySQL:#, --
- MS SQL: --
- MS Access: %00 (hack!)
- Oracle: --
To comment out some parts of the queries, the attacker may use the standard sequences, typical for a given language, or terminate the queries using his own methods being limited only by his imagination. An interesing example is a null byte method used to comment out everything after the current query in MS Access databases. More information about it can be found in Embedding_Null_Code .
Shell (bash) also has its character #, which terminates interpretation.
<? $ =sth $_GET['what]; system("/usr/bin/find -name '$sth' -type f"); ?>
Using /find.php?what=*'%20%23 the attacker will bypass limitation "-type f" and this command:
/usr/bin/find -name '*' -type f
/usr/bin/find -name '*' #-type f
So the final form of the command is:
/usr/bin/find -name '*'
If there are no restrictions about who is able to insert comments,then using start comment tag:
it's possible to comment out the rest of displayed content on the website.
<?php print "hello!: "; print $_GET['user']; print " Welcome to Hell!"; ?>
There result will be:
Developers should anticipate that comments will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of black lists and white lists to ensure only valid, expected and appropriate input is processed by the system.