Message Boards
Blind SQL injection and how it's being handled
Gyle Fernandez, modified 7 Years ago.
Blind SQL injection and how it's being handled
New Member Post: 1 Join Date: 3/2/16 Recent Posts
Hi everyone,
Currently using: Liferay Portal Enterprise Edition 6.2.10 EE
We did penetration testing on our liferay portal by doing a blind sql injection via the ff parameters:
p_p_lifecycle=0+and+7659%3D7659
p_p_id=PortletName_WAR_PortletNameportlet%27+and+%27f%27%3D%27f
After running it the page loads normally and we're not getting any info or at least a redirect.
How does liferay handle these injections via the parameter?
Thanks!
Currently using: Liferay Portal Enterprise Edition 6.2.10 EE
We did penetration testing on our liferay portal by doing a blind sql injection via the ff parameters:
p_p_lifecycle=0+and+7659%3D7659
p_p_id=PortletName_WAR_PortletNameportlet%27+and+%27f%27%3D%27f
After running it the page loads normally and we're not getting any info or at least a redirect.
How does liferay handle these injections via the parameter?
Thanks!
Olaf Kock, modified 7 Years ago.
RE: Blind SQL injection and how it's being handled
Liferay Legend Posts: 6403 Join Date: 9/23/08 Recent PostsGyle Fernandez:
We did penetration testing on our liferay portal by doing a blind sql injection via the ff parameters:
p_p_lifecycle=0+and+7659%3D7659
p_p_id=PortletName_WAR_PortletNameportlet%27+and+%27f%27%3D%27f
After running it the page loads normally and we're not getting any info or at least a redirect.
How does liferay handle these injections via the parameter?
The big question is: Did you see this going through to the database? I doubt it: All code that I've seen uses preparedStatements and just adds values as parameters, never concatenates them to the statement itself. That is, if it goes to the database at all (e.g. I doubt that the lifecycle parameter is used for a query, but feel free to proove me wrong)
My guess would be that the result is roughly equal to using
p_p_lifecycle=SOMETHING_THAT_I_MADE_UP
p_p_id=SOMETHING_ELSE_THAT_I_MADE_UP_AS_WELL