Wednesday, April 12th, 2006
XHR SQL Injection: Ajax Antipattern Illustrated
<>p>
Some of you will be familiar with TheDailyWTF.com, a website showcasing code in the wild that is, well, less than professional. A recent forum item illustrates the ultimate Ajax antipattern: uploading arbitrary code to be executed on the server.
Gustavo Carvalho discovered what happens when XMLHttpRequest and the Eval() function in PHP are combined. I’ll leave it to your immagination as to what the server-side looks like …
var code =
‘ $cn = mssql_connect($DB_SERVER, $DB_USERNAME, $DB_PASSWORD) ‘ +
‘ or die(“ERROR: Cannot Connect to $DB_SERVER”); ‘ +
‘ $db = mssql_select_db($DB_NAME, $cn);
…
execPhp(code);
Still, you’ve got to admit the remote execution is nicely encapsulated in that little execPhp() function – no messing around with XHR here ;-).
(Thanks Matthias.)
Related Content:
It seems to show me that all the information from client can’t be trust.
To execute the code provided from client? I think this is extremely unsafe.
good god, that is hideous. i dont think you could come up with a WORSE model than this.
yeah, if im not totally brain fried right now, you could hit the page with an “exec(‘show me the money’)” line.
omg.
this is awful.
Cool. This has lot’s of potential, like typing this in browser address bar:
javascript:execPhp(“$q = ‘DROP DATABASE ‘. $DB_NAME; $r = mysql_query($q);”)
Woo-hoo! You’ve given me a replacement for the PHP WTF that seems to have long since died!
Just wondering who’ll write code like this in his app ? Except Gustavo, I dunno if he write it or just find it :-) I bet he can find more miracles in that code
“SQL Injection”? We’re dealing here with arbitrary remote code execution, where SQL injection is just one (depending on the case, minor) of the destructive possibilities.