示例#1
0
        /* goodB2G() - use badsource and goodsink */
        public static void GoodB2GSink(CWE89_SQL_Injection__Web_ReadLine_CommandText_67a.Container dataContainer, HttpRequest req, HttpResponse resp)
        {
            string data = dataContainer.containerOne;

            if (data != null)
            {
                string[] names        = data.Split('-');
                int      successCount = 0;
                try
                {
                    /* FIX: Use prepared statement and concatenate CommandText (properly) */
                    using (SqlConnection dbConnection = IO.GetDBConnection())
                    {
                        dbConnection.Open();
                        using (SqlCommand goodSqlCommand = new SqlCommand(null, dbConnection))
                        {
                            for (int i = 0; i < names.Length; i++)
                            {
                                SqlParameter nameParam = new SqlParameter("@name", SqlDbType.VarChar, 100);
                                nameParam.Value             = names[i];
                                goodSqlCommand.CommandText += "update users set hitcount=hitcount+1 where name=@name;";
                            }
                            goodSqlCommand.Prepare();
                            int affectedRows = goodSqlCommand.ExecuteNonQuery();
                            successCount += affectedRows;
                            IO.WriteLine("Succeeded in " + successCount + " out of " + names.Length + " queries.");
                        }
                    }
                }
                catch (SqlException exceptSql)
                {
                    IO.Logger.Log(NLog.LogLevel.Warn, "Error getting database connection", exceptSql);
                }
            }
        }
示例#2
0
        /* goodG2B() - use goodsource and badsink */
        public static void GoodG2BSink(CWE89_SQL_Injection__Web_ReadLine_CommandText_67a.Container dataContainer, HttpRequest req, HttpResponse resp)
        {
            string data = dataContainer.containerOne;

            if (data != null)
            {
                string[]   names         = data.Split('-');
                int        successCount  = 0;
                SqlCommand badSqlCommand = null;
                try
                {
                    using (SqlConnection dbConnection = IO.GetDBConnection())
                    {
                        badSqlCommand.Connection = dbConnection;
                        dbConnection.Open();
                        for (int i = 0; i < names.Length; i++)
                        {
                            /* POTENTIAL FLAW: data concatenated into SQL statement used in CommandText, which could result in SQL Injection */
                            badSqlCommand.CommandText += "update users set hitcount=hitcount+1 where name='" + names[i] + "';";
                        }
                        var affectedRows = badSqlCommand.ExecuteNonQuery();
                        successCount += affectedRows;
                        IO.WriteLine("Succeeded in " + successCount + " out of " + names.Length + " queries.");
                    }
                }
                catch (SqlException exceptSql)
                {
                    IO.Logger.Log(NLog.LogLevel.Warn, "Error getting database connection", exceptSql);
                }
                finally
                {
                    try
                    {
                        if (badSqlCommand != null)
                        {
                            badSqlCommand.Dispose();
                        }
                    }
                    catch (SqlException exceptSql)
                    {
                        IO.Logger.Log(NLog.LogLevel.Warn, "Error disposing SqlCommand", exceptSql);
                    }
                }
            }
        }