SQL - Stored Procedures
I have a question about SQL injections and stored procedures. Normally I say that one can hack everything, it’s just a matter of will and resources’.
- But how would you go about hacking stored procedures. I mean would I have to attack the server straight on, or go through the application?
- And how hard would it be, on a scale from 1-10?
I know how the program and the stored procedures are written have a lot to say, but for this, let’s say it’s not a total idiot that have made the code. My knowledge on this area is limited and there for my questions might not be asked correctly, but I think you know where I’m going with this.
Therma wrote: I have a question about SQL injections and stored procedures. Normally I say that one can hack everything, it’s just a matter of will and resources’.
- But how would you go about hacking stored procedures. I mean would I have to attack the server straight on, or go through the application?
- And how hard would it be, on a scale from 1-10?
I know how the program and the stored procedures are written have a lot to say, but for this, let’s say it’s not a total idiot that have made the code. My knowledge on this area is limited and there for my questions might not be asked correctly, but I think you know where I’m going with this.
I think the best way to figure it out would be to set up something similar to it at home, or on a network. Then test it out. Since I don't know much about SQL Stored Procedures, I can't really help you. For me the best way to learn is trial and error, maybe you could try the same.
@Feralas Yeah, that was also my next step, but since I’m a programmer I’m always looking for the easiest way :). And I’m not really sure how I would do it, and can’t really find anything decent about on the net, so far. But guess I will have to break out the old computers and make a network.
If anyone else should have any input on this, please let me know.
SQL injection can also affect stored procedures..
Have a look at this article.. http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/
There are also plenty of other articles discussing this on google.
If you want to try it at home you will need an SQL server. Preferably, get comfortable with the syntax for writing stored procedures before installing the SQL server of choice.
Your best bet would be to start off injecting the stored procedure by calling it directly from a sql server client. Then move onto writing a web page or application which calls the stored procedure and inject it through that.
There are plenty of examples of SQL injection which also affect stored procedures, so start with reading some articles and set up a test environment based on the scenarios you have been shown. Once you can see how the injection is happening, write some of your own stored procedures and try and inject them.
Once you have figured out how to inject the stored procedures, rewrite them in a way which prevents injection and try your queries again until it is secure.
There you have it.. a beginners guide to injecting stored procedures.