| Name |
Command Line Execution through SQL Injection |
|
| Likelyhood of attack |
Typical severity |
| Low |
Very High |
|
| Summary |
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host. |
| Prerequisites |
The application does not properly validate data before storing in the database Backend application implicitly trusts the data stored in the database Malicious data is used on the backend as a command line argument |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Probe for SQL Injection vulnerability] The attacker injects SQL syntax into user-controllable data inputs to search unfiltered execution of the SQL syntax in a query. |
|
| 2 |
Exploit |
[Achieve arbitrary command execution through SQL Injection with the MSSQL_xp_cmdshell directive] The attacker leverages a SQL Injection attack to inject shell code to be executed by leveraging the xp_cmdshell directive. |
|
| 3 |
Exploit |
[Inject malicious data in the database] Leverage SQL injection to inject data in the database that could later be used to achieve command injection if ever used as a command line argument |
|
| 4 |
Exploit |
[Trigger command line execution with injected arguments] The attacker causes execution of command line functionality which leverages previously injected database content as arguments. |
|
|
| Solutions | Disable MSSQL xp_cmdshell directive on the database Properly validate the data (syntactically and semantically) before writing it to the database. Do not implicitly trust the data stored in the database. Re-validate it prior to usage to make sure that it is safe to use in a given context (e.g. as a command line argument). |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-20 |
Improper Input Validation |
| CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| CWE-89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| CWE-114 |
Process Control |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-66 |
This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker: |
|