SQL injection/pt

Sinopse

A injeção de SQL é um tipo de ataque que utiliza as vulnerabilidades na validação de entrada da aplicação ou digitação de dados para as consultas de SQL.

Quando bem-sucedido, o ataque permite que o atacante injete dados na consulta de SQL existente. The attacker may then be able to fetch private data, cause a denial of service or cause other unintended responses. In the worst case, the injected code would allow the attacker to gain full control of the system by exploiting multiple vulnerabilities in the database server, system utilities and operating system.

For an overview of SQL injection attacks, review Wikipedia's SQL Injection page.

Exemplo

The following code snippet would allow an attacker to execute their own SQL commands (and is a syntax error in Oracle).

$limit = $wgRequest->getVal( 'limit' );
$res = $db->query( "SELECT * from kitties LIMIT $limit" );

Before MW 1.35, the preferred way to run the above query would be:

$limit = $wgRequest->getVal( 'limit' );
$limit = intval( $limit ); // OPTIONAL validation
$res = $db->select( 'kitties',
                    '*',
                    false,
                    __METHOD__,
                    array( 'LIMIT' => $limit ) // REQUIRED automatic escaping
);

See Manual:Database access for more recent approaches to building SQL queries using the SelectQueryBuilder class.

To exploit the vulnerability and fetch the email addresses of registered wiki users, the attacker would use a GET string of:

?limit=%201%20union%20select%20user_email%20from%20user;


Injeção de SQL e Mediawiki

MediaWiki has a custom SQL generation interface which has proven to be effective for eliminating SQL injection vulnerabilities. The SQL generation interface also provides DBMS abstraction and features such as table prefixes.

To keep MediaWiki safe from SQL injection:

Category:Security/pt
Category:Security/pt