Websecurity - Веб безпека

This is English version of my SQL DB Structure Extraction vulnerabilities article.

There is such variety of Information Leakage vulnerabilities as SQL DB Structure Extraction. This vulnerability lie in that there is information leakage in web application about structure of the database. This information leakage can be of use at SQL Injection attack.

Such vulnerability I found first time already in 2006 (at one site) and gave it this name. Such vulnerabilities I found at many web sites, particularly at bizua.com.ua, zoom.cnews.ru and job.ukr.net. And also in many web applications, particularly in WordPress (many times), W-Agora, Nucleus, Athree CMS (twice) and Abton.

Example of information leakage which occurs at using of one from SQL DB Structure Extraction vulnerabilities in WordPress:

SELECT * FROM wp_posts WHERE 1=1 AND (post_status = "publish" OR post_author = 1 AND post_status != 'draft' AND post_status != 'static') AND post_status != "attachment" AND post_status <> ‘trash’ GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT -30, 15

In this case important information it is name of table (wp_posts), particularly its prefix (wp), which is using in other tables of WP at vulnerable site.

What is the difference between SQL DB Structure Extraction and SQL Error? Because in both cases there is a message about error at request to database.

There are different messages about error in SQL query (SQL Error):

1. Only a message is showing about error at request to DB without any details. Sometimes at that there can be a message about a script, in which error occurs, including there can be mentioned full path to it at the server, which is Full path disclosure vulnerability. And in other cases there can be no details, only mentioning about error at request to DB.

2. A message is showing about error at request to DB and part of SQL query, in which there is error. In this case, usually, there is no leaked information about structure of DB. But in such cases it’s possible the conduction of XSS attacks via errors at requests to DB.

3. A message is showing about error at request to DB with detailed information about current SQL query (or several queries). When information about structure of DB is leaked - about tables and their fields in DBMS. And this variant is SQL DB Structure Extraction.

So SQL DB Structure Extraction vulnerability - it’s such variant of SQL Error, when error at request to database occurs and at the page (at notification about error at request to DB, or even without such notification) the information about structure of DB is showing.

This entry was posted on 22:42 16.03.2010 and is filed under Статті. You can follow any responses to this entry through the RSS 2.0 feed.