• (cs)

    Painful, just painful to look at.

    Why, why, why would anyone do this?  Forget the security issues, forget the logic issues, just look at that SQL!  Truly code worthy of a, "WTF!"

  • (cs)

    J'lai.  I think I'm about to toss my cookies.  That's hideous.

  • Mr. First (unregistered)

    First

  • ChetOS (unregistered)

    Brillant!

  • afadw (unregistered) in reply to ChetOS
    OMFG.
     
    Oh well.  I once worked with someone who couldn't figure out how to retrieve form values server side using ColdFusion, so he decided to use VBScript on the client to do CRUD operations.  Nothing like seeing the SQL connection string on the client, just begging for some sort of attack.
  • joe_bruin (unregistered)

    wget http://thiswtfsite.com/CallQuery.asp?sql=DROP%20TABLE%20CustomerDB

  • anonymouse. (unregistered)

    rtrim(ltrim(replace(upper(left(ltrim(rtrim(us.FirstName)),1))+right(ltrim(rtrim(us.FirstName)),len(ltrim(rtrim(us.FirstName)))-1)+' '+upper(left(ltrim(rtrim(us.LastName)),1))+right(ltrim(rtrim(us.LastName)),len(ltrim(rtrim(us.LastName)))-1),char(39),char(145)))) as AssignName

    +o( +o( +o(

  • NotMyself (unregistered)

    man ive never wanted to punch a baby in the face so bad in my life... i mean seriously.. this makes me puppy kicking mad...

  • ChiefCrazyTalk (unregistered) in reply to ChetOS
    Anonymous:
    Brillant!
    You said it, Paula!
  • Dan (unregistered)

    Toss the culprit around until he dies...

  • (cs)

    (forgetting the security implications) I had a flashback... it's like "let's write our entire logic and presentation code in SQL and let the DB do the work"...

    reminds me of (for fun and pure WTFery) writing mandlebrot generators in Postscript and getting the Laserjet to render it.

  • (cs) in reply to anonymouse.
    Anonymous:
    rtrim(ltrim(replace(upper(left(ltrim(rtrim(us.FirstName)),1))+right(ltrim(rtrim(us.FirstName)),len(ltrim(rtrim(us.FirstName)))-1)+' '+upper(left(ltrim(rtrim(us.LastName)),1))+right(ltrim(rtrim(us.LastName)),len(ltrim(rtrim(us.LastName)))-1),char(39),char(145)))) as AssignName

    +o( +o( +o(

    And some people complain about Lisp...

  • (cs) in reply to masklinn

    Holy hell...

  • (cs)

    Very Nice!

  • Seltsam (unregistered)

    I can't stop laughing!

  • (cs) in reply to NotMyself
    Anonymous:
    man ive never wanted to punch a baby in the face so bad in my life... i mean seriously.. this makes me puppy kicking mad...


    ROFLMAO!!!! Thanks I needed that.
  • (cs) in reply to joe_bruin

    Anonymous:
    wget http://thiswtfsite.com/CallQuery.asp?sql=DROP%20TABLE%20CustomerDB

    actually the query is in a cookie, not in the QueryString... unless I missed something in my 5 seconds of going through the sql horror

  • JC (unregistered) in reply to retnuh

    This is nothing... my co-worker has one upped this one. Although he can be forgiven as it was his first programming project out of school, and the code wasn't as bad as this, it was pretty amazing.

    A client called up one day complaining that the business directory was empty (my coworker had made a search feature for this). Examining the code, I found something interesting when I hovered over the link to view details...


    view details


    now THAT was amusing!! :P  

  • toxik (unregistered) in reply to masklinn


    If strSortBy & "" <> "" Then

    <font size="2">I like that part a lot too, I mean, "Take strSortBy and nothing and compare it to nothing, if it matches then don't go on."</font>

  • NN (unregistered) in reply to toxik

    I don't even want to begin understanding that.

  • (cs)

    deep breath

    I don't see the WTF here.

    AFAICS the cookie is just a debugging tool.  He never says the equivalent of
        db.Execute(Request.Cookies(sql))
    anywhere.

    If the cookie is, in fact, being used as a primitive Debug.Print, then that's only a minor concern, certainly not a WTF.

  • (cs) in reply to masklinn
    masklinn:
    Anonymous:
    rtrim(ltrim(replace(upper(left(ltrim(rtrim(us.FirstName)),1))+right(ltrim(rtrim(us.FirstName)),len(ltrim(rtrim(us.FirstName)))-1)+' '+upper(left(ltrim(rtrim(us.LastName)),1))+right(ltrim(rtrim(us.LastName)),len(ltrim(rtrim(us.LastName)))-1),char(39),char(145)))) as AssignName +o( +o( +o(
    And some people complain about Lisp...

    Right but they are the same people that write this kind of code...
  • Josh (unregistered) in reply to trollable

    Wow...

    That wonderful bit of code is just opening the door for a sql injection attack...  I need a bucket I think im gonna puke.

  • (cs)

    Maurits, look again.

    The query is executed, checked to see if it returns anything, the SQL is dumped to a cookie, and the user is forwarded to CallQuery.asp.

    If there's no results they give them the "no result" error message right there.

    Trust me, this yahoo is going for the SQL in the Cookie in CallQuery.asp -- after a while these things become pretty predictable.

  • (cs) in reply to Maurits
    Maurits:

    If the cookie is, in fact, being used as a primitive Debug.Print, then that's only a minor concern, certainly not a WTF.

    As jbuist writes, the SQL is most probably stored in a cookie for CallQuery.asp to pick it up and execute it. I think the name of that ASP makes that perfectly clear.

    But in any rate, I would like to know how exposing the SQL to the world is only a minor concern. As an example, it tells the determined user a lot about the data model, which could be useful in SQL injection attacks.
  • (cs)

    If CallQuery.asp is really running whatever cookie is in the SQL, then THAT is the WTF.  Not only is it a SQL injection attack, but consider what happens when a user:

    1) Calls up one report
    2) Calls up another report on different criteria (changing the cookie)
    3) Refreshes the first report - the page now shows the second report!

    If the page is named CallQuery.asp, that does seem likely...

    As to the exposure of the internal data model to SQL injection attacks... that doesn't overly concern me.  Security through obscurity is no security at all. A SQL injection attack can be used to query the system catalogs anyway and enumerate the tables, their fields, the text of stored procedures (unless encrypted,) etc.

  • (cs) in reply to toxik
    Anonymous:

    If strSortBy & "" <> "" Then

    <FONT size=2>I like that part a lot too, I mean, "Take strSortBy and nothing and compare it to nothing, if it matches then don't go on."</FONT>

    That's actually good a VB practice.  If strSortBy has yet to be assigned a value it could equal Nothing.  The comparison If Nothing <> "" results in True.  Therefore the code inside the If block would be skipped in cases where strSortBy is anything except the empty string, Nothing included.  By concatenating strSortBy and the emptry string you will also skip the block when strSortBy is Nothing.

  • d (unregistered) in reply to Maurits
    Maurits:
    If CallQuery.asp is really running whatever cookie is in the SQL, then THAT is the WTF.  Not only is it a SQL injection attack, but consider what happens when a user:

    1) Calls up one report
    2) Calls up another report on different criteria (changing the cookie)
    3) Refreshes the first report - the page now shows the second report!

    If the page is named CallQuery.asp, that does seem likely...

    As to the exposure of the internal data model to SQL injection attacks... that doesn't overly concern me.  Security through obscurity is no security at all. A SQL injection attack can be used to query the system catalogs anyway and enumerate the tables, their fields, the text of stored procedures (unless encrypted,) etc.


    Good point, I guess dropping the db isn't that bad as long as the dba is backing his junk up.  Having some hack extract all the contents of a db is pretty dangerous especially if it contains my credit card info.

    (captcha  'dinky' rofl)
  • (cs)

    Cookie aside, that SQL makes me wonder. I broke down a bunch of the SQL, and I'm going to take a guess that its generated because of the redudant function calls.

    rtrim(ltrim( replace(

    	/*UPPERCASE FIRST INITIAL*/
    	upper(left(ltrim(rtrim(us.FirstName)),1)) 
    	+ 
    	/*FIRST NAME WITHOUT SPACES*/
    	right(ltrim(rtrim(us.FirstName)), len(ltrim(rtrim(us.FirstName))) -1 ) 
    	+ ' ' + 
    	/*UPPERCASE LAST INITIAL*/
    	upper(left(ltrim(rtrim(us.LastName)),1))
    	+
    	/*LAST NAME WITHOUT SPACES*/
    	right(ltrim(rtrim(us.LastName)), len(ltrim(rtrim(us.LastName)))-1)
    	,
    	char(39),
    	char(145)
    )
    

    ) ) as AssignName,

    This single column is a WTF on its own.

    right(ltrim(rtrim(us.LastName)), len(ltrim(rtrim(us.LastName)))-1) is functionally equivalent to LTrim(RTrim(LastName))

    Plus the outermost rtrim(ltrim( is useless because of the interior statement prevents any trailing or preceeding spaces.

    Generated code, I'd bet my lunch on it.

    -Mark

  • afadw (unregistered) in reply to DiRN
    DiRN:
    That's actually good a VB practice.
    The words "good practice" and VB are never meant to go together.
  • (cs) in reply to Maurits
    Maurits:
    As to the exposure of the internal data model to SQL


    That is "physical" not "data" model.

    injection attacks... that doesn't overly concern me.  Security through obscurity is no security at all. A SQL injection attack can be used to query the system catalogs anyway and enumerate the tables, their fields, the text of stored procedures (unless encrypted,) etc.


    Oh, really?

    Give me your credit card numbers, their expiry dates, and the Xs (whatever the three digit security code is called).

    I do not have them now, so I can not do anything.  Give me the information, and I could, were I so inclined.

    Counting on security by obscurity to save you is foolish, but making your sensitive data readily available is not a very good security model.

    Sincerely,

    Gene Wirchenko

  • (cs)

    This reminds me of this guy I knew -- he didn't understand the difference between the client and the server in web applications, either.  He actually thought that ASP.NET code was downloaded to the browser and executed there.

  • (cs) in reply to afadw

    Thank God that code had no comments, that would have been like watching a commentated rape...

  • (cs)

    This is loike a caterpilar, the beauty of the design will only be recognised after it has time to develop.

  • (cs)

    My eyes, the googles, they do nothing.  I would feel embarssed leaving that mess to the next guy.  I wonder what closeconnection() does that the rsQuery.close() below doesn't do?

  • (cs) in reply to the_saint

    Bugger, I meant "like", or was the the accent.

     

    Obviously the real WTF is the lack of edit.

  • (cs) in reply to Gene Wirchenko
    Gene Wirchenko:
    Give me your credit card numbers, their expiry dates, and the Xs (whatever the three digit security code is called).


    No.  But you've discovered a flaw in the security of credit cards, not in my logic.
  • (cs) in reply to Maurits
    Maurits:
    Gene Wirchenko:
    Give me your credit card numbers, their expiry dates, and the Xs (whatever the three digit security code is called).


    No.  But you've discovered a flaw in the security of credit cards, not in my logic.


    There is a problem with both.

    It is too easy to get the bits needed to make a credit card charge.

    The error in your logic is that it does matter whether I have the data.  If I do not have it, I can not use.  If I do have it, I may be able to.  Security by obscurity is not a perfect protection, but it is a partial one.  Because of that, I am careful whom I give such data to.

    Sincerely,

    Gene Wirchenko

  • (cs) in reply to Gene Wirchenko

    Point taken.

    But there are plenty of software systems out there which manage to be secure in spite of public knowledge of both the database schema and the code... phpBB, Community Server, et al.

  • (cs) in reply to Maurits

    There is a story about the programmer who wrote this code.  The company he worked for sponsored a float in a night-time city parade.  He setup the equipment to project the company logo onto the float, but never tested it before the float went out for the parade.  When the projector was turned on, the company logo appeared backwards on the float!  He was not canned for this offense, not for his code!

    DigitalLogic:
    Cookie aside, that SQL makes me wonder. I broke down a bunch of the SQL, and I'm going to take a guess that its generated because of the redudant function calls. rtrim(ltrim( replace( /UPPERCASE FIRST INITIAL/ upper(left(ltrim(rtrim(us.FirstName)),1)) + /FIRST NAME WITHOUT SPACES/ right(ltrim(rtrim(us.FirstName)), len(ltrim(rtrim(us.FirstName))) -1 ) + ' ' + /UPPERCASE LAST INITIAL/ upper(left(ltrim(rtrim(us.LastName)),1)) + /LAST NAME WITHOUT SPACES/ right(ltrim(rtrim(us.LastName)), len(ltrim(rtrim(us.LastName)))-1) , char(39), char(145) ) ) ) as AssignName, This single column is a WTF on its own. right(ltrim(rtrim(us.LastName)), len(ltrim(rtrim(us.LastName)))-1) is functionally equivalent to LTrim(RTrim(LastName)) Plus the outermost rtrim(ltrim( is useless because of the interior statement prevents any trailing or preceeding spaces. Generated code, I'd bet my lunch on it. -Mark

    I'm pretty sure the guy who wrote this couldn't even spell code generator, much less use one.  I believe all of his stuff is just good old copy and paste.

    Maurits:
    Point taken.

    But there are plenty of software systems out there which manage to be secure in spite of public knowledge of both the database schema and the code... phpBB, Community Server, et al.

    Wait, phpBB manages to be secure?  Do you live on the same planet I do?

  • (cs) in reply to toxik
    Anonymous:

    If strSortBy & "" <> "" Then

    <font size="2">I like that part a lot too, I mean, "Take strSortBy and nothing and compare it to nothing, if it matches then don't go on."</font>



    That's actually a quick and dirty method of converting to a string - concatenate a null string to it.

    Same as (in java)

    String numToInt = i + "";
  • (cs) in reply to Chris F
    Chris F:

    He was not canned for this offense, not for his code!

    Woops, I mean he WAS canned for this offense, not for his code.
  • (cs) in reply to Maurits
    Maurits:
    Point taken.

    But there are plenty of software systems out there which manage to be secure in spite of public knowledge of both the database schema and the code... phpBB, Community Server, et al.


    I wish there were more.

    Occasionally, I have read claims that European systems are better than NAm ones.  For example, one-use numbers for charging where the vendor never has the card number but does have something that can be used to make a charge.

    Sincerely,

    Gene Wirchenko

  • ash (unregistered) in reply to versatilia
    versatilia:
    (forgetting the security implications) reminds me of (for fun and pure WTFery) writing mandlebrot generators in Postscript and getting the Laserjet to render it.

    Holy crap. And I thought writing device drivers in a debugger in hex was bad!! I bow before your superiority.

  • (cs) in reply to Maurits
    Maurits:
    But there are plenty of software systems out there which manage to be secure in spite of public knowledge of both the database schema and the code... phpBB, Community Server, et al.


    You should never rely on security through obscurity, but at the same time, you should aim for defense-in-depth.  The system should be designed to remain secure even if the schema is known; nevertheless, there is no reason to publish the schema if it isn't necessary.

    Remember, security is always about cost/benefit ratios, not about absolute deductive proofs.  Anything you can do to slow down an attacker is a good thing, and you may delay him long enough that his attempts get noticed, or frustrate him enough that he decides to go look for easier targets.

    Of course, in the case of open software like phpBB, they have no choice but to reveal their schema, and the benefits of open source outweigh the down sides.  But even there, if for some reason you really wanted to lock down a phpBB board, it would be a great idea to rename tables and columns or otherwise customize your install, so that an attacker who was otherwise familiar with the system wouldn't be familiar with YOUR system.

  • some australian guy (unregistered)

    i want wat you guys have been smokin[C][8-)][}][:^)][:@][:-*][B][8-)][Z][D][co][:#][H][:'(][:'(][:$][:$][:$][8-|][au][8o|][8-)]

  • neil (unregistered) in reply to BlackTigerX

    depends how he reads the sql variable on the next page.

    if he goes like this:

    dim sql
    sql = Request("sql")

    then it would get the value from Request.Form, Request.Querystring, Request.Cookie, etc, whichever it found first. i don't remember the order though.


  • neil (unregistered) in reply to BlackTigerX
    BlackTigerX:

    Anonymous:
    wget http://thiswtfsite.com/CallQuery.asp?sql=DROP%20TABLE%20CustomerDB

    actually the query is in a cookie, not in the QueryString... unless I missed something in my 5 seconds of going through the sql horror



    dammit, meant to quote:

    depends how he reads the sql variable on the next page.

    if he goes like this:

    dim sql
    sql = Request("sql")

    then it would get the value from Request.Form, Request.Querystring, Request.Cookie, etc, whichever it found first. i don't remember the order though.

  • Jason (unregistered) in reply to Maurits
    Maurits:

    But there are plenty of software systems out there which manage to be secure in spite of public knowledge of both the database schema and the code... phpBB, Community Server, et al.


    Ahem.
  • Jason (unregistered) in reply to Maurits
    Maurits:

    But there are plenty of software systems out there which manage to be secure in spite of public knowledge of both the database schema and the code... phpBB, Community Server, et al.


    Ahem.

Leave a comment on “Toss Your Cookies Round 'n' Round”

Log In or post as a guest

Replying to comment #:

« Return to Article