Nytro Posted August 23, 2013 Report Posted August 23, 2013 Rails SQL Injection [h=2]Overview[/h] The Ruby on Rails web framework provides a library called ActiveRecord which provides an abstraction for accessing databases. This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input. Careless use of these methods can open up code to SQL Injection exploits. The examples here do not include SQL injection from known CVEs and are not vulnerabilites themselves, only potential misuses of the methods. Please use this list as a guide of what not to do. This list is in no way exhaustive or complete! Please feel free to contribute. [h=3]Examples[/h] Each method or option described below is accompanied by an example demonstrating how the ActiveRecord interface could be exploited if used unsafely. These are not necessarily the worst exploits, they represent just a small hint of what could be accomplished if one is not careful. The examples on this page were tested with Rails 3.2.13 and SQLite 3. [h=3]Interactive Version[/h] Clone and run this site from the git repo to try out or modify the examples! Documentation [h=3]Calculate Methods[/h] There are several methods based around ActiveRecord::Calculations#calculate. calculate takes an operation, a column name, and an options hash similar to ActiveRecord::FinderMethods#find. Methods based on calculate are shortcuts for different operations, and take a column name and options hash as arguments. In addition to the vulnerable options listed for find, the column name argument can also accept SQL! Calculation methods:averagecalculatecountmaximumminimumsum [h=4]Example[/h] This example finds the age of a specific user, rather than the sum of all user ages.params[:column] = "age) FROM users WHERE name = 'Bob';"Order.calculate(:sum, params[:column]) QuerySELECT SUM(age) FROM users WHERE name = 'Bob' AS sum_id FROM "orders"Result27Articol complet:http://rails-sqli.org/ Quote
