Comment Injection Attack
Last revision (mm/dd/yy): 04/23/2009
Comments injected into an application through input can be used to compromise a system. As data is parsed, an injected/malformed comment may cause the process to take unexpected actions that result in an attack.
The attacker may conduct this kind of attack with different programming or scripting languages:
If the attacker has the ability to manipulate queries which are sent to the database, then he's able to inject a terminating character too. The aftermath is that the interpretation of the query will be stopped at the terminating character:
SELECT body FROM items WHERE id = $ID limit 1;
Let's assume that the attacker has sent via the GET method the following data stored in variable $ID:
"1 or 1=1; #"
In the end the final query form is:
SELECT body FROM items WHERE id = 1 or 1=1; # limit 1;
After the # character everything will be discarded by the database including "limit 1", so only the last column "body" with all its records will be received as a query response.
Sequences that may be used to comment queries:
- MySQL:#, --
- MS SQL: --
- MS Access: %00 (hack!)
- Oracle: --
To comment out some parts of the queries, the attacker may use the standard sequences, typical for a given language, or terminate the queries using his own methods being limited only by his imagination. An interesing example is a null byte method used to comment out everything after the current query in MS Access databases. More information about this can be found in Embedding Null Code .
Shell (bash) also has the character #, which terminates interpretation.
<? $ =sth $_GET['what]; system("/usr/bin/find -name '$sth' -type f"); ?>
Using /find.php?what=*'%20%23 the attacker will bypass limitation "-type f" and this command:
/usr/bin/find -name '*' -type f
/usr/bin/find -name '*' #-type f
So the final form of the command is:
/usr/bin/find -name '*'
If there are no restrictions about who is able to insert comments, then using the start comment tag:
it's possible to comment out the rest of displayed content on the website.
<?php print "hello!: "; print $_GET['user']; print " Welcome friend!"; ?>
There result will be:
Related Threat Agents