SQL Server : unsanitized user input with read only user - sql

I created a simple page with HTML/PHP for the sole purpose of getting unsanitized user input.
It is located here: http://109.201.140.29/mssql/
I did this just for fun, I use this windows server for nothing else currently.
Is there any risk when the user ONLY has (readonly) access to the database test_db?
It also logs failed/successful queries, sample of error log (as you can see, drop table does not work):
[2014-07-08 14:27:41] (query) Execution of query: "DROP TABLE users;" Failed.
src IP: <snip>
err: SQLSTATE[42S02]: [Microsoft][SQL Server Native Client 11.0][SQL Server]Cannot drop the table 'users', because it does not exist or you do not have permission.
sample from successful queries log:
[2014-07-08 14:17:38] (query) Executed: "select * from users;".
src IP: <snip>.
Returned rows: 100.
[2014-07-08 14:17:45] (query) Executed: "select ##version;".
src IP: <snip>.
Returned rows: 1.
[2014-07-08 14:19:12] (query) Executed: "SELECT * FROM information_schema.tables".
src IP: <snip>.
Returned rows: 1.
Simple question I suppose; but is there any risk here? Besides the obvious flaw of taking user input as queries..
The user has as I said read-only access and is not a owner of any databases.
I ask because this is my first experience with SQL Server, but from my testing at least the queries seem to only allow reading (SELECT) which is OK for this purpose.
Feel free to test queries of course - as there may be some queries possible that I am not aware of.

Security is built from confidentiality, availability and integrity.
Confidentiality is obviously compromised as you just give any access.
Availability is compromised as Damien showed, and other methods can be also used.
Integrity is the only thing the the "read-only" permissions actually helps to protect, but it is also limited.
Your DB Version is Microsoft SQL Server 2012 - 11.0.2100.60, there are always new exploits that can give total server takeover, and if you give direct access to the DB an attacker can always perform brute force attack to guess and impersonate another stronger user or even admin user (EXECUTE AS LOGIN... for example).
You can never close all of the potential vulnerabilities and you should never allow any direct access to your DB.

Related

Creating a non-ORACLE_MAINTAINED user in ORACLE XE 18 via JDBC

I want to create a user from JDBC (if possible) in an ORACLE Express database. That user can't have the ORACLE_MAINTAINED flag in the DBA_USERS view.
Trying CREATE USER newuser IDENTIFIED BY xxx, but it throws a ORA-65096: invalid common user or role name. To avoid it, I had to set the flag ALTER SESSION SET "_ORACLE_SCRIPT"=TRUE, as other posts recommend. But that way, it's marked as ORACLE_MAINTAINED.
I'm connecting to the xe default database.
Context:
I'm working with the Oracle Docker image; it's for integration testing purposes. The metadata queries the app uses exclude ORACLE_MAINTAINED='Y' users/tables, and I'm not able to list them (not working with data, just metadata). I could remove the WHERE from the queries, but I would prefer to avoid it, and keep the app queries untouched.
Thanks!

SQL Server drop query request

It is possible to view and analyze queries in SQL Server before implement on database and log or drop it if necessary?
For example some application send an update query to SQL Server, can I first log it to a database, and then possibly reject it if the query is illegal based on my roles?
You can use SQL Profiler to monitor queries sent to server, but you can't do what you wnat to.
If you say it is illegal for smoe roles to execute some queries it should be specified in permissions - every role have assigned permissions.
One way to achieve what you want is to define user, which mentioned applciation would use (I would even create dedicated user). Then, if you want this user to execute SELECT, just execute such command
GRANT SELECT ON [table] TO [user]
Then the user won't be able to update table, just select rows from it.
I found solution to use SQL SERVER triggers so after insert or update I check my role so if there is any access problem I can rollback transaction and send error to user.

odbc32 and SQLBrowseConnect Help

I'm making a call to odbc32.dll (SQLBrowseConnect) to return a list of databases on a sql server.
From running a trace I can see the query being executed is
select name from master..sysdatabases where has_dbaccess(name)=1
If the credentials I pass aren't the sa user it returns just the system databases. Is there anyway I can use SQLBrowseConnect with another user (whose default database is also not guarenteed to be the master database) to return all databases on the server?
Also I want to avoid smo objects
The query does work without sysadmin credentials.
You need to ensure that you / the credentials you are using are at least in the public database role on each of the databases that you need to connect to.
As you would guess, select name from master..sysdatabases returns all database names irrespective of your access to the DB.

Oracle running script

I am using Oracle Sql Developer
I have a huge script that creates tables, indexes, primary key constraints and such.
my DB name is: dbo_other
I logged into this dbo_other as sysdba.
If I run my script then tables do not show up on left panel under 'Tables'
However, if I append the script by adding 'dbo_other.' in front of every table name then the tables show up.
This is very tedious and time consuming.
Is there a way to avoid this? why wont they show up in dbo_other without adding dbo_other. in front of every table name?? When I run the query on the upper right corner the drop down has dbo_other selected!!
I can even do a select * from the table created (but dont see it in left sidebar) Furthermore, I can see the table in pl/sql developer.
Why does oracle sql developer want me to create it with dbo_other.??
Also, is there a way to avoid adding it for each table? maybe something can be done on top of the script so it takes effect on everything that follows?
Why are you logging in to your database using the SYSDBA account? This is very powerful, and it will allow you to do terrible damage to your database if you don't know what you're doing. In a development environment there's a limit to the harm you can do but it's best to get into good habits before doing things in Production.
The interesting thing about AS SYSDBA is that it overrides the username part of the login: if your OS user has the privileges, you're in. As SYS. Check it out:
SQL> conn apc
Enter password:
Connected.
SQL> show user
USER is "APC"
SQL> conn apc as sysdba
Enter password:
Connected.
SQL> show user
USER is "SYS"
SQL>
So, when you ran that script you created all those objects in the SYS schema. Which will prove to be a massive pain in the neck. I hope you have an equal and opposite reversion script.
To run the script properly, all you need to do is connect as DBO_OTHER (normal - i.e. without SYSDBA or SYSOPER which is the default after all). Your script will create tables in the current schema.
If you need to create objects in several schemas, you don't need to log out and in again. The schema is distinct from the user and it is possible to switch schema by executing alter session set current schema = WHOEVR;. This is quite a handy trick and I blogged it up some time back. Find out more.
Note that your user will not acquire any additional privileges by changing the current schema: they will only be able to do what they currently can do. So for something like creating objects in multiple schemas the executing user should be a power user, somebody with CREATE ANY privileges such as a DBA (but still not SYSDBA).
I just stumbled upon this little jem which lets you perform actions on a schema/user by default for which you are not logged in as. That is, by default your select statements, etc will operate on this new schema instead of your own.
alter session set current_schema =
Example:
Myself
+ table1
+ table2
SomeoneElse
+ SuperTable1
+ SuperTable2
log in as "Myself"
select * from SuperTable1
Error: ORA-00942: table or view does not exist
alter session set current_schema = SomeoneElse
select * from SuperTable1 <This will work.>
The "Tables" tree on the left-hand panel only includes tables the logged-in user owns in Oracle SQL Developer. If your script creates tables in another user's schema, you need to click the + next to "Other Users", find the appropriate user, and click the + on their tables.
As others have said, you shouldn't use SYSDBA unless you need to, and it sounds very much like your script should be executed as a normal user based on its rough description.

Stored Procedure Ownership Chaining

I have several stored procedures in my database that are used to load data from a datamart that is housed in a separate database. These procedures are, generally, in the form:
CREATE PROCEDURE load_stuff
WITH EXECUTE AS OWNER AS
INSERT INTO my_db.dbo.report_table
(
column_a
)
SELECT
column_b
FROM data_mart.dbo.source_table
WHERE
foo = 'bar';
These run fine when I execute the query in SQL Server Management Studio. When I try to execute them using EXEC load_stuff, the procedure fails with a security warning:
The server principal "the_user" is not able to access the database "data_mart" under the current security context.
The OWNER of the sproc is dbo, which is the_user (for the sake of our example). The OWNER of both databases is also the_user and the_user is mapped to dbo (which is what SQL Server should do).
Why would I be seeing this error in SQL Server? Is this because the user in question is being aliased as dbo and I should use a different user account for my cross-database data access?
Edit
I understand that this is because SQL Server disables cross database ownership chaining by default, which is good. However, I'm not sure of the best practice in this situation. If anyone has any input on the best practice for this scenario, it would be greatly appreciated.
Edit 2
The eventual solution was to set TRUSTWORTHY ON on both of the databases. This allows for limited ownership chaining between the two databases without resorting to full database ownership chaining.
Why not remove EXECUTE AS OWNER?
Usually, my user executing the SP would have appropriate rights in both databases, and I don't have to do that at all.
There is no need to create login, you can just enable guest user in target DB.
grant connect to guest
This allows executing user to enter DB under guest context, and when "db chaining is ON access will not be checked in target DB.
Actually, DBO is a role (you can consider it as a group of users), not a user in himself. (Unless you can connect to SQL SERVER using dbo:passwordfordbo it's not a user).
Usually, in the wonderful world of SQL Server, if you grant userX right to execute storedprocY then X gets the right to perform all the task Y contains even if he doesn't have all the permission on all the objects used in Y.
That's an extremely useful feature to encapsulate business logic in a stored procedure. (Your user have NO access on the table but they do can EXECUTE one stored proc).
When we talk about "ownership chaining" it means the following (please correct me if I am wrong though)
- If ownership chaining is disabled: the right to execute procedureX will work as long as all the required objects are in the same database
- Of chaining is enabled: That "privilege" will expands towards all databases.
Hope that helps,