2

I am trying to inject a RoR application... I have found a nice command which will allow me to delete things unchecked...but the problem is that its not a problem its a very minor point, to make it a problem is there anyway I can inject a command to join to another table?

for example I have:

pointless = uselessTable.find(params[:uselessId])
pointless.delete

I was hoping it was possible to join another table? Im not even 100% sure if this is injectable I just know its an open command that goes unchecked. any suggestions?

James Mishra
  • 1,124
  • 6
  • 12
TheHidden
  • 4,265
  • 3
  • 21
  • 40
  • This link doesn't answer the question directly, but it is a helpful reference SQL injection on Rails: http://rails-sqli.org/ – phylae Jan 24 '17 at 23:04

1 Answers1

2

This seems like it is actually a direct object reference vulnerability as you are not injecting any SQL to exploit the vulnerability - just providing whatever ID you want. Based on the code you have provided there is no way to delete from another table unless the database has cascading deletes setup or something like that.

Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
  • yes this is what I thought, and also i know it was not an sql injection but was hoping to turn it into something of the sort, thank you for answering my question, I am now to assume finding this was useless. – TheHidden Mar 04 '15 at 16:20
  • Not useless at all. You have discovered a serious vulnerability - well done! While it might not seem like a big deal now, it's entirely possible that as the project grows this table will become an important part of day to day operations. Also - if you found the problem once, it probably exists in other places as well. Definitely secure this! – Abe Miessler Mar 04 '15 at 16:30