Re: SQL Injection & Stored Procedures Info
| От | Lincoln Yeoh |
|---|---|
| Тема | Re: SQL Injection & Stored Procedures Info |
| Дата | |
| Msg-id | 5.1.0.14.1.20021224121802.02ccc210@mbox.jaring.my обсуждение исходный текст |
| Ответ на | SQL Injection & Stored Procedures Info (Çağıl Şeker <cagils@biznet.com.tr>) |
| Список | pgsql-general |
Whilst MS-SQL has many built-in procedures e.g. xp_cmdshell, I am not aware of any built-in stored procedures for Postgresql, and I believe that procedural languages must be voluntarily installed in order to be active[1]. If there really aren't any built-in procedures or even languages active by default, PG stored procs would tend to be site specific, so unless you exploit a general bug or weakness (e.g. if the interface/documentation (or lack of) discourages safe usage - e.g. hard to escape stuff), attacks would be site/application specific too. Also, before 7.3 Postgresql functions/procs could not return multiple values (or it was rather difficult). This probably limited their use and usage. So it is likely in the future there would be greater usage of Postgresql stored procs, and who knows, maybe future versions of Postgresql would include various "activated by default" procedures and languages ripe for exploitation ;). Doesn't look like it'll be soon given the current Postgresql developer culture. Hope that helps, Link. [1] http://www.ca.postgresql.org/users-lounge/docs/7.3/postgres/xplang-install.html Usually hard to take advantage of something that isn't installed/present ;). At 06:44 PM 12/23/02 +0200, =?iso-8859-9?B?x2Hw/Wwg3mVrZXI=?= wrote: >Hi, > >I am preparing a security related presentation regarding web based >applications and databases. I had difficulty finding postgresql specific >information on the Net. I am especially looking for stored procedures >related injection examples (there are tons of specific to MS-SQL, but >although PG supports SPs, I've couldn't find any). If anybody can point me >to the right direction, I'd be glad... > >Regards, >Çaðýl Þeker >________________________________________ >Software Engineer / Yazilim Muhendisi >Biznet Bilisim Sistemleri ve Dan. San. Tic. A.S. >Teknokent Ikizler Binasi Kat:1 A-2 Blok, ODTU >06531 Ankara/TURKEY >Tel : +90 312 210 11 77 >Fax : +90 312 210 11 67 >E-mail : cagils@biznet.com.tr >http://www.biznet.com.tr > >---------------------------(end of broadcast)--------------------------- >TIP 5: Have you checked our extensive FAQ? > >http://www.postgresql.org/users-lounge/docs/faq.html
В списке pgsql-general по дате отправления: