How things break
Let’s close things up with a deep dive into the weird and wonderful ways that programs errata can be exploited for the greater bad.
Ever since people began connecting their PHP applications to SQL databases, there have been SQL injection attacks. These exploit unchecked — sanitise everything — user inputs, typically in web forms, to make it possible for the attacker to run arbitrary SQL queries. The classic example is to input something like
‘; DROP TABLE users; into the username field form. If the PHP code behind that form generated an SQL query in a manner such as:
$sql = “SELECT username from users where username = ‘$user’;”
then if the $user variable is substituted with our poisoned input we end up with two SQL queries for the price of one:
SELECT username from users where username = ‘’; DROP TABLE users; And then our “users” table disappears in a puff of unsanitised input. The reason this works (in reality it should not work in any places because PHP no longer allows SQL statements to be chained together like this) is because we were allowed to have a single quote in our input. Even if you’re not permitted to chain PHP commands together, you could enter something like
‘ OR 1=1 UNION SELECT username, password from USERS;
which leverages the UNION operator to join the results of queries together, which is just as helpful. The tautological 1=1 part means we select all users from our table, then for good measure we display their passwords too (no one in their right mind would store plaintext passwords, but there’s plenty of folks in their wrong minds on the interwebs). You’ll find a real-world example of this in the Metasploitable virtual machine we looked at earlier. [I think you’ll find that is a virtual world example. – Ed]
There’s little reason for these kind of vulnerabilities to still exist these days, but they persist. There are all kinds of ways that special characters can be filtered or escaped from variables, and at any rate it’s bad form to construct SQL statements by crude string concatenation. Something to bear in mind.
MEMORY VULNERABILITIES
You may have heard terms like buffer overflow, use-after-free and stack corruption. These all relate to memory flaws, which can be tricky to explain without some understanding of how programs and the variables they use are assigned and use memory. When you program with a scripting language, such as Python or PHP, memory management is all left to the interpreter, the user is left blissfully unaware of so much nightmarish administration behind the scenes.
If we were to move on to C, we’d need to grow up a little and take