Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MySQL] Auto-create database. if it doesn't exist yet. #53

Open
d-Rickyy-b opened this issue Jan 9, 2019 · 8 comments
Open

[MySQL] Auto-create database. if it doesn't exist yet. #53

d-Rickyy-b opened this issue Jan 9, 2019 · 8 comments
Labels
Difficulty: Easy This is an easy issue which should not take a lot of time enhancement New feature or request good first issue Good for newcomers hacktoberfest Label for issues suited for the Hacktoberfest event New feature For suggesting a new feature

Comments

@d-Rickyy-b
Copy link
Owner

If the specified database does not exist yet, create it for the user.

That seems to have several issues with SQLI... let's see.
@d-Rickyy-b d-Rickyy-b added enhancement New feature or request good first issue Good for newcomers New feature For suggesting a new feature hacktoberfest Label for issues suited for the Hacktoberfest event labels Jan 9, 2019
@d-Rickyy-b d-Rickyy-b added the Difficulty: Easy This is an easy issue which should not take a lot of time label Sep 30, 2019
@d-Rickyy-b
Copy link
Owner Author

Here we create the tables - before that line there must be the creation of the database if it does not exist yet.

@suparnasnair
Copy link

suparnasnair commented Oct 6, 2019
edited
Loading

Hi @d-Rickyy-b, I was looking into the code. I could see a line commented above your given statement which has been commented which creates the database if it doesn't exist. Could you please tell me why uncommenting this will not be a solution?

@d-Rickyy-b
Copy link
Owner Author

Hi @suparnasnair thanks for commenting :). I totally forgot that I started implementing that.

https://github.com/d-Rickyy-b/pastepwn/blob/master/pastepwn/database/mysqldb.py#L41-L48

Sadly this brings the possibility of an SQL injection. While the user itself got access to the database and needs to configure the database name themself, I am not sure if it's a good idea to leave that open for an SQL injection vulnerability. I can't think of any good threat model to describe this issue further, but maybe there is one I am not thinking about currently.

@razper
Copy link

razper commented Oct 11, 2019

basically you can't overcome the SQL injection problem because the prepared statements won't work on 'CREATE DATABASE' , the only option i can think of is to add a library that escape from sql injection attacks or presetting the database name ( hard coded).

@d-Rickyy-b
Copy link
Owner Author

@razper Hmm, maybe presetting the name to a hardcoded one would be a great solution for now. I would have to check back on what needs to be changed and update the requirements for the issue accordingly. Thank you.

@Nocommas555
Copy link

As far as i know, to do an sql injection you would need a lot more chars then for a db name.

Checking the name with the regex ^([A-Za-z_-]+)$ should remove any injections while still accepting almost all database names

https://regexr.com/5md5r

@Nocommas555
Copy link

This leaves the possibility to do '--' and comment out the rest of the command, but that would just throw an exception and not do anything with the db.

@paulosgf
Copy link

paulosgf commented Jan 7, 2022

Hello @d-Rickyy-b!
I didn't understand the need just to the database name. The username and password don't be variables too? And thus, would be subject to SQLi too?
I suggest using a YAML configuration file with all user-defined values. Or even an environment variable, like his hostname.
What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Difficulty: Easy This is an easy issue which should not take a lot of time enhancement New feature or request good first issue Good for newcomers hacktoberfest Label for issues suited for the Hacktoberfest event New feature For suggesting a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@d-Rickyy-b @suparnasnair @paulosgf @razper @Nocommas555