ruby on rails - Is it possible to modify database using SQL injection with Active Record -
this question has answer here:
- rails methods vulnerable sql injection? 2 answers
using rails 4.0 have controller action uses request parameters in active record query:
@clients = client.where(params[:where]).order(params[:order]).limit(params[:limit])
would possible user, using sql injection, modify database, or obtain information database not contained in clients table?
if example appreciated, simple method prevent possibility (i understand placeholders or hash parameters remove vulnerablity don't see how create same functionality using them)
thanks in advance.
edit
i understand these methods have vulnerabilities. question concerns extent of vulnerablity. not able find answer specific question in rails guides.
the where
method assumes argument sql fragment if it's string.
what happens next depends on database used, example on mysql active record turns off ability query contain multiple statements, it's not case of injecting clause ';'.
current versions of rails use prepared statements on postgres, forbids injection of multiple statements.
in general relying on seems extremely risky , may vary on other databases. if data modification / theft not possible, denial of service trivial.
it possible steal information of form "is there user email address xyz" using subquery uses exists
. little time patience extract values, example if know user's id , want extract email address run subselects of form
select * users id = 123 , email_address 'a%'
if results know email address starts a, , can move onto next letter. if not check whether email address starts b , on. once i've got first character, queries of form
select * users id = 123 , email_address 'fa%' select * users id = 123 , email_address 'fb%' select * users id = 123 , email_address 'fc%'
allow me extract second character of email address. few thousand queries whole email address.
another way use sleep
function on mysql - allow extraction of variables 1 byte @ time based on how long page took load
Comments
Post a Comment