| « Prev | Page 1 | Page 2 | Next » |
|
Painful, just painful to look at.
Why, why, why would anyone do this? Forget the security issues, forget the logic issues, just look at that SQL! Truly code worthy of a, "WTF!" |
|
J'lai. I think I'm about to toss my cookies. That's hideous.
|
Re: Toss Your Cookies Round 'n' Round
2006-01-16 14:13
•
by
afadw
|
|
OMFG.
Oh well. I once worked with someone who couldn't figure out how to retrieve form values server side using ColdFusion, so he decided to use VBScript on the client to do CRUD operations. Nothing like seeing the SQL connection string on the client, just begging for some sort of attack.
|
|
wget http://thiswtfsite.com/CallQuery.asp?sql=DROP%20TABLE%20CustomerDB
|
|
rtrim(ltrim(replace(upper(left(ltrim(rtrim(us.FirstName)),1))+right(ltrim(rtrim(us.FirstName)),len(ltrim(rtrim(us.FirstName)))-1)+' '+upper(left(ltrim(rtrim(us.LastName)),1))+right(ltrim(rtrim(us.LastName)),len(ltrim(rtrim(us.LastName)))-1),char(39),char(145)))) as AssignName
+o( +o( +o( |
|
man ive never wanted to punch a baby in the face so bad in my life... i mean seriously.. this makes me puppy kicking mad...
|
Re: Toss Your Cookies Round 'n' Round
2006-01-16 14:46
•
by
ChiefCrazyTalk
|
You said it, Paula! |
|
Toss the culprit around until he dies...
|
|
(forgetting the security implications) I had a flashback... it's like
"let's write our entire logic and presentation code in SQL and let the DB do the work"... reminds me of (for fun and pure WTFery) writing mandlebrot generators in Postscript and getting the Laserjet to render it. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 14:55
•
by
masklinn
|
And some people complain about Lisp... |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 15:00
•
by
mugs
|
|
Holy hell...
|
|
I can't stop laughing!
|
Re: Toss Your Cookies Round 'n' Round
2006-01-16 15:20
•
by
retnuh
|
ROFLMAO!!!! Thanks I needed that. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 15:24
•
by
BlackTigerX
|
actually the query is in a cookie, not in the QueryString... unless I missed something in my 5 seconds of going through the sql horror |
|
This is nothing... my co-worker has one upped this one. Although he can be forgiven as it was his first programming project out of school, and the code wasn't as bad as this, it was pretty amazing.
A client called up one day complaining that the business directory was empty (my coworker had made a search feature for this). Examining the code, I found something interesting when I hovered over the link to view details...
now THAT was amusing!! :P |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 15:43
•
by
toxik
|
I like that part a lot too, I mean, "Take strSortBy and nothing and compare it to nothing, if it matches then don't go on."
|
|
I don't even want to begin understanding that.
|
|
*deep breath*
I don't see the WTF here. AFAICS the cookie is just a debugging tool. He never says the equivalent of db.Execute(Request.Cookies(sql)) anywhere. If the cookie is, in fact, being used as a primitive Debug.Print, then that's only a minor concern, certainly not a WTF. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 16:04
•
by
trollable
|
Right but they are the same people that write this kind of code... |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 16:11
•
by
Josh
|
|
Wow...
That wonderful bit of code is just opening the door for a sql injection attack... I need a bucket I think im gonna puke. |
|
Maurits, look again.
The query is executed, checked to see if it returns anything, the SQL is dumped to a cookie, and the user is forwarded to CallQuery.asp. If there's no results they give them the "no result" error message right there. Trust me, this yahoo is going for the SQL in the Cookie in CallQuery.asp -- after a while these things become pretty predictable. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 16:41
•
by
java.lang.NullReferenceException
|
As jbuist writes, the SQL is most probably stored in a cookie for CallQuery.asp to pick it up and execute it. I think the name of that ASP makes that perfectly clear. But in any rate, I would like to know how exposing the SQL to the world is only a minor concern. As an example, it tells the determined user a lot about the data model, which could be useful in SQL injection attacks. |
|
If CallQuery.asp is really running whatever cookie is in the SQL, then THAT is the WTF. Not only is it a SQL injection attack, but consider what happens when a user:
1) Calls up one report 2) Calls up another report on different criteria (changing the cookie) 3) Refreshes the first report - the page now shows the second report! If the page is named CallQuery.asp, that does seem likely... As to the exposure of the internal data model to SQL injection attacks... that doesn't overly concern me. Security through obscurity is no security at all. A SQL injection attack can be used to query the system catalogs anyway and enumerate the tables, their fields, the text of stored procedures (unless encrypted,) etc. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 17:08
•
by
DiRN
|
That's actually good a VB practice. If strSortBy has yet to be assigned a value it could equal Nothing. The comparison If Nothing <> "" results in True. Therefore the code inside the If block would be skipped in cases where strSortBy is anything except the empty string, Nothing included. By concatenating strSortBy and the emptry string you will also skip the block when strSortBy is Nothing. |
Good point, I guess dropping the db isn't that bad as long as the dba is backing his junk up. Having some hack extract all the contents of a db is pretty dangerous especially if it contains my credit card info. (captcha 'dinky' rofl) |
|
Cookie aside, that SQL makes me wonder. I broke down a bunch of the SQL, and I'm going to take a guess that its generated because of the redudant function calls.
rtrim(ltrim( replace( /*UPPERCASE FIRST INITIAL*/ upper(left(ltrim(rtrim(us.FirstName)),1)) + /*FIRST NAME WITHOUT SPACES*/ right(ltrim(rtrim(us.FirstName)), len(ltrim(rtrim(us.FirstName))) -1 ) + ' ' + /*UPPERCASE LAST INITIAL*/ upper(left(ltrim(rtrim(us.LastName)),1)) + /*LAST NAME WITHOUT SPACES*/ right(ltrim(rtrim(us.LastName)), len(ltrim(rtrim(us.LastName)))-1) , char(39), char(145) ) ) ) as AssignName, This single column is a WTF on its own. right(ltrim(rtrim(us.LastName)), len(ltrim(rtrim(us.LastName)))-1) is functionally equivalent to LTrim(RTrim(LastName)) Plus the outermost rtrim(ltrim( is useless because of the interior statement prevents any trailing or preceeding spaces. Generated code, I'd bet my lunch on it. -Mark |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 17:25
•
by
afadw
|
The words "good practice" and VB are never meant to go together. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 17:32
•
by
Gene Wirchenko
|
That is "physical" not "data" model.
Oh, really? Give me your credit card numbers, their expiry dates, and the Xs (whatever the three digit security code is called). I do not have them now, so I can not do anything. Give me the information, and I could, were I so inclined. Counting on security by obscurity to save you is foolish, but making your sensitive data readily available is not a very good security model. Sincerely, Gene Wirchenko |
|
This reminds me of this guy I knew -- he didn't understand the difference between the client and the server in web applications, either. He actually thought that ASP.NET code was downloaded to the browser and executed there.
|
Re: Toss Your Cookies Round 'n' Round
2006-01-16 17:44
•
by
Mikademus
|
|
Thank God that code had no comments, that would have been like watching a commentated rape...
|
|
This is loike a caterpilar, the beauty of the design will only be recognised after it has time to develop.
|
|
My eyes, the googles, they do nothing. I would feel embarssed
leaving that mess to the next guy. I wonder what closeconnection() does that the rsQuery.close() below doesn't do? |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 17:50
•
by
the_saint
|
|
Bugger, I meant "like", or was the the accent.
Obviously the real WTF is the lack of edit. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 18:26
•
by
Maurits
|
No. But you've discovered a flaw in the security of credit cards, not in my logic. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 18:42
•
by
Gene Wirchenko
|
There is a problem with both. It is too easy to get the bits needed to make a credit card charge. The error in your logic is that it does matter whether I have the data. If I do not have it, I can not use. If I do have it, I may be able to. Security by obscurity is not a perfect protection, but it is a partial one. Because of that, I am careful whom I give such data to. Sincerely, Gene Wirchenko |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 18:55
•
by
Maurits
|
|
Point taken.
But there are plenty of software systems out there which manage to be secure in spite of public knowledge of both the database schema and the code... phpBB, Community Server, et al. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 20:10
•
by
Chris F
|
|
There is a story about the programmer who wrote this code. The company he worked for sponsored a float in a night-time city parade. He setup the equipment to project the company logo onto the float, but never tested it before the float went out for the parade. When the projector was turned on, the company logo appeared backwards on the float! He was not canned for this offense, not for his code!
I'm pretty sure the guy who wrote this couldn't even spell code generator, much less use one. I believe all of his stuff is just good old copy and paste.
Wait, phpBB manages to be secure? Do you live on the same planet I do? |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 20:25
•
by
akrotkov
|
That's actually a quick and dirty method of converting to a string - concatenate a null string to it. Same as (in java) String numToInt = i + ""; |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 20:26
•
by
Chris F
|
Woops, I mean he WAS canned for this offense, not for his code. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 20:57
•
by
Gene Wirchenko
|
I wish there were more. Occasionally, I have read claims that European systems are better than NAm ones. For example, one-use numbers for charging where the vendor never has the card number but does have something that can be used to make a charge. Sincerely, Gene Wirchenko |
Holy crap. And I thought writing device drivers in a debugger in hex was bad!! I bow before your superiority. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 21:57
•
by
DrCode
|
You should never rely on security through obscurity, but at the same time, you should aim for defense-in-depth. The system should be designed to remain secure even if the schema is known; nevertheless, there is no reason to publish the schema if it isn't necessary. Remember, security is always about cost/benefit ratios, not about absolute deductive proofs. Anything you can do to slow down an attacker is a good thing, and you may delay him long enough that his attempts get noticed, or frustrate him enough that he decides to go look for easier targets. Of course, in the case of open software like phpBB, they have no choice but to reveal their schema, and the benefits of open source outweigh the down sides. But even there, if for some reason you really wanted to lock down a phpBB board, it would be a great idea to rename tables and columns or otherwise customize your install, so that an attacker who was otherwise familiar with the system wouldn't be familiar with YOUR system. |
|
i want wat you guys have been smokin[C][8-)][}][:^)][:@][:-*][B][8-)][Z][D][co][:#][H][:'(][:'(][:$][:$][:$][8-|][au][8o|][8-)]
|
Re: Toss Your Cookies Round 'n' Round
2006-01-16 22:03
•
by
neil
|
|
depends how he reads the sql variable on the next page.
if he goes like this: dim sql sql = Request("sql") then it would get the value from Request.Form, Request.Querystring, Request.Cookie, etc, whichever it found first. i don't remember the order though. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 22:04
•
by
neil
|
dammit, meant to quote: depends how he reads the sql variable on the next page. if he goes like this: dim sql sql = Request("sql") then it would get the value from Request.Form, Request.Querystring, Request.Cookie, etc, whichever it found first. i don't remember the order though. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 22:35
•
by
Jason
|
Ahem. |
Re: Toss Your Cookies Round 'n' Round
2006-01-16 22:37
•
by
Jason
|
Ahem. |
| « Prev | Page 1 | Page 2 | Next » |
Anonymous: