Does someone know of a good example of a SQL Injection vulnerability that isn't in a web application? What is the user input for this attack? I am looking for a real vulnerability, not speculation. The following picture is an example of a speculated attack against license plate reading cameras:
And of course there is good old bobby tables. Which is funny but again its not realistic. One of the most flagrant violation is that the vast majority sql injection exploits can't use query stacking.
I worked with an international logistics company that had an SQL vulnerability in the 5250 emulator on a handheld wireless barcode scanner.
Theoretically you could craft a barcode that would amend the database and alter stock and inventory levels etc...
Theoretically:-)
Many services offered on the Internet such as email, sftp, and online games can do authentication against relational databases. The PAM module for Postgres is one example as it had an SQL injection vulnerability.
While it is not common to do logging to a database, this may be useful in some situation. The database appender of the Java logging framework log4j did not do any input escaping in the really early versions of log4j.
Those two cases above are rather easily spotted in an audit. The most interesting case, however, from my point of view is the following:
Given an application for employees that has been in use for decades. When the software was developed a long time ago, security was not an issue (for example because the employees could do far greater damage by entering wrong numbers or because it was done using tight permissions on the database level).
You know those ugly old applications nobody knows how they work and nobody wants to touch. If the risk of employees doing evil things is accepted, this works fine.
Fast forward: Internet is cool. Customers should enter their data in an web application themselves. The internet application is properly audited. It might even use a shadow database.
But in the end the data entered by untrusted people is now processed using the old application. If such data is saved back to the database or used in query the injected SQL statements are executed with the database permissions of the employee. (Sorry, no reference but I have seen that may too often in the real world. Sometimes this is not discovered until a customer has a name which includes a ').
I loved the story where someone got their book published on Amazon bookstore and it resulted to all the XSS (and possibly any SQL injections??) vectors in the book to reflect onto their book preview function, thus attacking anyone trying to preview the book.
Link to story here: http://drwetter.eu/amazon/ (highly recommend that book btw).
I find this picture more intriguing and real than the picture you used for the license plate injection:
Someone received a spam message via a text message and sent back: ' OR 1=1;--, this is the response:
I would love to try interfacing to my car and probe for vulnerabilities. Maybe someday we will read about stories where someone injected into their car or home power meter.
Are you looking for 'real-world' sql injections or just for injections that have nothing to do with web applications? For the second case here are some
SQL injection in Oracle Server: http://www.exploit-db.com/exploits/933/
SQL injection in proftpd sql-enabled authentication https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0542
Not sure if it counts, but in Europe there was someone who hand wrote a ballot that was attempting to SQL inject the voting system. If I find the story again I will post it.
http://alicebobandmallory.com/articles/2010/09/23/did-little-bobby-tables-migrate-to-sweden
