Post reply

Deny execute of native functions

  • March 28, 2017 at 6:48 am

    #322570

    Hello!
    It´s possible to block SQL native functions execute?
    Especially this :
    - WAITFOR;
    - HOST_NAME();
    - XACT_STATE();
    - SYSDATETIME();
    - @@version;
    - DB_NAME().
    My objective is prevent or minimize SQL Injection.
    There isn´t the possibility to alter the application nor install external tools.
    Thanks!

  • March 28, 2017 at 6:54 am

    #1935250

    No, and even if you could, blocking those won't do a thing to prevent SQL Injection. or minimise its impact.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

  • March 28, 2017 at 8:27 am

    #1935277

    Thanks for the answer!
    I did a script to exemplify what I need to prevent in SQL Instance.
    Consider SQL SERVER 2008 R2 with SP1 (10.50.1600.1)
    In this case, I need to block the execution of the "IF(CHARINDEX ...", but leave the stored procedure executes normally.
    The execution was adapted from SQLMap (http://sqlmap.org/), and with this injection,  it´s possible to get the name of databases.
    So, I need to block this type of injection.

    CREATE PROCEDURE dbo.SQLInjectionTest(@prm INT)
    AS
    BEGIN
        SELECT @prm AS Parameter, 'Inside procedure' AS [COL];
    END;
    GO
    --- **************
    -->> Executions from application using sql login application
    --> Normal execution
    EXEC dbo.SQLInjectionTest @prm = 1;
    GO
    --> Injection execution
    EXEC dbo.SQLInjectionTest @prm = 0;
    IF(CHARINDEX('10.50.1600',@@version)>0)
        IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(DB_NAME(1) AS NVARCHAR(4000)),CHAR(32))),1,1))>64)
            SELECT 'INJECTION, outside procedure' AS [COL] --1;

  • March 28, 2017 at 9:24 am

    #1935297

    alexeliasrp - Tuesday, March 28, 2017 8:27 AM

    Thanks for the answer!
    I did a script to exemplify what I need to prevent in SQL Instance.
    Consider SQL SERVER 2008 R2 with SP1 (10.50.1600.1)
    In this case, I need to block the execution of the "IF(CHARINDEX ...", but leave the stored procedure executes normally.
    The execution was adapted from SQLMap (http://sqlmp.org/), and with this injection,  it´s possible to get the name of databases.

    Why?
    There's no SQL injection possibilities in the code that you posted.

    Luis C.
    General Disclaimer:
    Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?

    How to post data/code on a forum to get the best help: Option 1 / Option 2

  • March 28, 2017 at 9:36 am

    #1935304

    alexeliasrp - Tuesday, March 28, 2017 8:27 AM

    So, I need to block this type of injection.

    What's happening there is that the app is concatenating that 'IF(CHARINDEX('10.50.1600',@@version)>0) ...' stuff after a legit SQL statement. The only place that can be fixed is in the app, and there is NOTHING special about the functions you posted. I could do SQL injection and obtain far more than just the DB names with none of those functions used at all.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

  • March 28, 2017 at 11:05 am

    #1935324

    Thanks a lot, GilaMonster e Luis Cazares, that´s what I need.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply