Wednesday, April 12th, 2006

XHR SQL Injection: Ajax Antipattern Illustrated

Category: Remoting, Security

<>p>

Some of you will be familiar with TheDailyWTF.com, a website showcasing code in the wild that is, well, less than professional. A recent forum item illustrates the ultimate Ajax antipattern: uploading arbitrary code to be executed on the server.

Gustavo Carvalho discovered what happens when XMLHttpRequest and the Eval() function in PHP are combined. I’ll leave it to your immagination as to what the server-side looks like …

var code =
‘ $cn = mssql_connect($DB_SERVER, $DB_USERNAME, $DB_PASSWORD) ‘ +
‘ or die(“ERROR: Cannot Connect to $DB_SERVER”); ‘ +
‘ $db = mssql_select_db($DB_NAME, $cn);

execPhp(code);

Still, you’ve got to admit the remote execution is nicely encapsulated in that little execPhp() function – no messing around with XHR here ;-).

(Thanks Matthias.)

Related Content:

Posted by Michael Mahemoff at 6:08 pm
6 Comments

++++-
4 rating from 38 votes

6 Comments »

Comments feed TrackBack URI

It seems to show me that all the information from client can’t be trust.

To execute the code provided from client? I think this is extremely unsafe.

Comment by Michael Cheng — April 12, 2006

good god, that is hideous. i dont think you could come up with a WORSE model than this.

yeah, if im not totally brain fried right now, you could hit the page with an “exec(‘show me the money’)” line.

omg.

this is awful.

Comment by matt — April 12, 2006

Cool. This has lot’s of potential, like typing this in browser address bar:

javascript:execPhp(“$q = ‘DROP DATABASE ‘. $DB_NAME; $r = mysql_query($q);”)

Comment by nxt — April 13, 2006

Woo-hoo! You’ve given me a replacement for the PHP WTF that seems to have long since died!

Comment by Shawn — April 13, 2006

Just wondering who’ll write code like this in his app ? Except Gustavo, I dunno if he write it or just find it :-) I bet he can find more miracles in that code

Comment by Hatem — April 13, 2006

“SQL Injection”? We’re dealing here with arbitrary remote code execution, where SQL injection is just one (depending on the case, minor) of the destructive possibilities.

Comment by Daniel Luz — April 16, 2006

Leave a comment

You must be logged in to post a comment.