Is it possible to SQL inject JS files?
Jun Yin
Description
A SQL injection may be possible using the attached payload
URL
https://www.xxxxx.xxx/view/global/user/mobile/js/plugins/swiper.min.js?1531331694=%3B%28SELECT+*+FROM+%28SELECT%28SLEEP%285%29%29%29dlRO%29%23
Method
GET
Parameter
1531331694
Attack
;(SELECT * FROM (SELECT(SLEEP(5)))dlRO)#
Instances
1
Solution
Do not trust client side input, even if there is client side validation in place.
In general, type check all data on the server side.
If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'
If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.
If database Stored Procedures can be used, use them.
Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!
Do not create dynamic SQL queries using simple string concatenation.
Escape all data received from the client.
Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.
Apply the privilege of least privilege by using the least privileged database user possible.
In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.
Grant the minimum database access that is necessary for the application.
Other information
查询时间是可控使用参数值[;(SELECT * FROM (SELECT(SLEEP(5)))dlRO)#],引起请求只需要[26,141] 毫秒,当原始的未修改查询值[] 平均要[1,642.311] 毫秒。
PS:
I understand that only the action of operating the database can cause problems related to SQL injection. If you are accessing purely static resources, such as JS, CSS, image, etc., there should be no possibility of SQL injection. I wonder if my understanding is correct? In the above scanning, the access to JS files prompts SQL injection. Is this judgment wrong?
thanks.
