The Dark Arts: SQL Injection And Secure Passwords

March 9, 2016 by Will Sweatman 41 Comments

As the year of 2005 was drawing to a close, a website known as Myspace was basking in popularity. With millions of users, the site was the most popular social networking site in the world. It was unique in that it let users use HTML code to customize their Myspace page. Most of us, c’mon…admit it….had a Myspace page. The coding part was fun! But not everything was changeable with code. You could only upload up to 12 images and the Relationship Status drop-down menu only had a few options to choose from. These limitations did not sit well with [Samy Kamkar], a 19 year old hacker out of Los Angeles.

It didn’t take [Samy] long to figure out how to trick the site to let him upload more images and change his relationship status to a customized “in a hot relationship”. After hoodwinking the Myspace site with some simple hacks, he realized he could do just about anything he wanted to with it. And this is where things get interesting. It took just over a week to develop a script that would force people who visited his page to add him as a friend. But that wasn’t enough. He then programmed the script to copy itself onto the visitor’s page. [Samy] had developed a self-propagating worm.

The script went live as [Samy] went to bed. He woke up the next morning with 200 friends requests. An hour later the number had doubled. [Samy] got worried and sent an anonymous email to the webmaster warning of the worm. It was ignored. By 1:30PM that day, he had over 6,000 friends request. And like any good hacker worth his weight in floppy drives, his sense of humor had him program the script to also add his name to each visitor’s Heroes List. This angered many people, who deleted him from their page, only to get reinfected moments later when they visited another (infected) page.

[Samy’s] script was raging out of control. As the evening closed in, his friends count had reached 919,664. It would top the 1 million mark just before Myspace took their servers offline to figure out what was going on. Two hours later, the site was back up. [Samy’s] profile page had been deleted.

[Samy] had used a technique known as cross-site scripting (XSS) to pull off his hack. We’ll touch on XSS in a later article. For now, we’re going to stick to the basics – proper passwords and SQL Injection.

Continue reading “The Dark Arts: SQL Injection And Secure Passwords” →

SQL Injection Fools Speed Traps And Clears Your Record

April 4, 2014 by James Hobson 112 Comments

Typical speed camera traps have built-in OCR software that is used to recognize license plates. A clever hacker decided to see if he could defeat the system by using SQL Injection…

The basic premise of this hack is that the hacker has created a simple SQL statement which will hopefully cause the database to delete any record of his license plate. Or so he (she?) hopes. Talk about getting off scot-free!

The reason this works (or could work?) is because while you would think a traffic camera is only taught to recognize the license plate characters, the developers of the third-party image recognition software simply digitize the entire thing — recognizing any and all of the characters present. While it’s certainly clever, we’re pretty sure you’ll still get pulled over and questioned — but at least it’s not as extreme as building a flashbulb array to blind traffic cameras…

What do you guys think? Did it work? This image has been floating around the net for a few years now — if anyone knows the original story let us know!

Crawling + SQL Injection With Scrawlr

June 24, 2008 by Eliot 3 Comments

Scrawlr is the latest tool to come out of HP’s Web Security Research Group. It was built in response to the massive number of SQL injection attacks happening on the web this year. Most of these vulnerable sites are found through googling, so Scrawlr works the same way. Point it at your web server and it will crawl all of the pages and evaluate the URL parameters to see if they’re vulnerable to verbose injection. It reports the SQL server and table names if it comes across anything.

It only supports 1500 pages right now and can’t do authentication or blind injection. It’s still a free tool and a great way to identify if your site is vulnerable to automated tools finding you website via search engines.

[via Acidus]

Prompt Injection: An AI-Targeted Attack

May 19, 2023 by Bryan Cockfield 12 Comments

For a brief window of time in the mid-2010s, a fairly common joke was to send voice commands to Alexa or other assistant devices over video. Late-night hosts and others would purposefully attempt to activate voice assistants like these en masse and get them to do ridiculous things. This isn’t quite as common of a gag anymore and was relatively harmless unless the voice assistant was set up to do something like automatically place Amazon orders, but now that much more powerful AI tools are coming online we’re seeing that joke taken to its logical conclusion: prompt-injection attacks. Continue reading “Prompt Injection: An AI-Targeted Attack” →

What’s Old Is New Again: GPT-3 Prompt Injection Attack Affects AI

September 16, 2022 by Donald Papp 13 Comments

What do SQL injection attacks have in common with the nuances of GPT-3 prompting? More than one might think, it turns out.

Many security exploits hinge on getting user-supplied data incorrectly treated as instruction. With that in mind, read on to see [Simon Willison] explain how GPT-3 — a natural-language AI — can be made to act incorrectly via what he’s calling prompt injection attacks.

This all started with a fascinating tweet from [Riley Goodside] demonstrating the ability to exploit GPT-3 prompts with malicious instructions that order the model to behave differently than one would expect.

Continue reading “What’s Old Is New Again: GPT-3 Prompt Injection Attack Affects AI” →

Exploit-Me Firefox XSS And SQL Scanning Addon

June 14, 2008 by Eliot 7 Comments

[youtube=http://www.youtube.com/watch?v=RbL2ptbjoSA&hl=en&rel=0&color1=0x3a3a3a&color2=0x999999]
One of the best tools we saw at LayerOne was the Exploit-Me series presented by [Dan Sinclair]. Security Compass created these tools to help developers easily identify cross site scripting (XSS) and SQL injection vulnerabilities.

Continue reading “Exploit-Me Firefox XSS And SQL Scanning Addon” →

This Week In Security: PostHog, Project Zero Refresh, And Thanks For All The Fish

December 19, 2025 by Jonathan Bennett 18 Comments

There’s something immensely satisfying about taking a series of low impact CVEs, and stringing them together into a full exploit. That’s the story we have from [Mehmet Ince] of Prodraft, who found a handful of issues in the default PostHog install instructions, and managed to turn it into a full RCE, though only accessible as a user with some configuration permissions.

As one might expect, it all starts with a Server Side Request Forgery (SSRF). That’s a flaw where sending traffic to a server can manipulate something on the server side to send a request somewhere else. The trick here is that a webhook worker can be primed to point at localhost by sending a request directly to a system API.

One of the systems that powers a PostHog install is the Clickhouse database server. This project had a problem in how it sanitized SQL requests, namely attempting to escape a single quote via a backslash symbol. In many SQL servers, a backslash would properly escape a single quote, but Clickhouse and other Postgresql servers don’t support that, and treat a backslash as a regular character. And with this, a read-only SQL API is vulnerable to SQL injection.

These vulnerabilities together just allow for injecting an SQL string to create and run a shell command from within the database, giving an RCE and remote shell. The vulnerabilities were reported through ZDI, and things were fixed earlier this year. Continue reading “This Week In Security: PostHog, Project Zero Refresh, And Thanks For All The Fish” →