Обсуждение: SQL Injection & Stored Procedures Info

Hi,

I am preparing a security related presentation regarding web based applications and databases. I had difficulty finding
postgresqlspecific information on the Net. I am especially looking for stored procedures related injection examples
(thereare tons of specific to MS-SQL, but although PG supports SPs, I've couldn't find any). If anybody can point me to
theright direction, I'd be glad... 

Regards,
Çağıl Şeker
________________________________________
Software Engineer / Yazilim Muhendisi
Biznet Bilisim Sistemleri ve Dan. San. Tic. A.S.
Teknokent Ikizler Binasi Kat:1 A-2 Blok, ODTU
06531 Ankara/TURKEY
Tel     : +90 312 210 11 77
Fax     : +90 312 210 11 67
E-mail : cagils@biznet.com.tr
http://www.biznet.com.tr

Whilst MS-SQL has many built-in procedures e.g. xp_cmdshell, I am not aware
of any built-in stored procedures for Postgresql, and I believe that
procedural languages must be voluntarily installed in order to be active[1].

If there really aren't any built-in procedures or even languages active by
default, PG stored procs would tend to be site specific, so unless you
exploit a general bug or weakness (e.g. if the interface/documentation (or
lack of) discourages safe usage - e.g. hard to escape stuff), attacks would
be site/application specific too.

Also, before 7.3 Postgresql functions/procs could not return multiple
values (or it was rather difficult). This probably limited their use and usage.

So it is likely in the future there would be greater usage of Postgresql
stored procs, and who knows, maybe future versions of Postgresql would
include various "activated by default" procedures and languages ripe for
exploitation ;). Doesn't look like it'll be soon given the current
Postgresql developer culture.

Hope that helps,
Link.

[1]
http://www.ca.postgresql.org/users-lounge/docs/7.3/postgres/xplang-install.html

Usually hard to take advantage of something that isn't installed/present ;).

At 06:44 PM 12/23/02 +0200, =?iso-8859-9?B?x2Hw/Wwg3mVrZXI=?= wrote:


>Hi,
>
>I am preparing a security related presentation regarding web based
>applications and databases. I had difficulty finding postgresql specific
>information on the Net. I am especially looking for stored procedures
>related injection examples (there are tons of specific to MS-SQL, but
>although PG supports SPs, I've couldn't find any). If anybody can point me
>to the right direction, I'd be glad...
>
>Regards,
>Çaðýl Þeker
>________________________________________
>Software Engineer / Yazilim Muhendisi
>Biznet Bilisim Sistemleri ve Dan. San. Tic. A.S.
>Teknokent Ikizler Binasi Kat:1 A-2 Blok, ODTU
>06531 Ankara/TURKEY
>Tel     : +90 312 210 11 77
>Fax     : +90 312 210 11 67
>E-mail : cagils@biznet.com.tr
>http://www.biznet.com.tr
>
>---------------------------(end of broadcast)---------------------------
>TIP 5: Have you checked our extensive FAQ?
>
>http://www.postgresql.org/users-lounge/docs/faq.html