in security risk in outsourced sql?

sneakyimp

i recently got some data from a contractor that i don't know all that well (read: from other country). the data is stored in SQL files with insert commands, etc. the contractor in question has no access to my database but i'm wondering if the SQL he sent me presents any security risk to my existing data or any risk going forward in terms of trojan horse type stuff.

anybody know?

Sxooter

Well, my guess is you're gonna have to look it over to be sure. Maybe you should set up a test box on an isolated network and run the scripts there to see if they present any danger.

sneakyimp

urk! i was hoping you would say something like that.

there's like 7 megabytes of data, so i think the likelihood of inspecting it all is very small.

as for test box, i have no such resource 🙁.

i reckon i'll search it for <? and ?> tags (php injection? is that possible?

complicating matters is the fact that the database contains a bunch of html that we data mined from some public license wikis. maybe i'll need to search the stuff also for <object ro <embed tags or whatever.

sheesh.

Roger_Ramjet

If you haven't got a seperate box, at least set up a seperate database to run the inserts into. You can then inspect the test db for any schema changes or damage, as well as searching the data for hidden code etc.

An injection attack occurs when user input actually contain SQL statements that are then added to a dynamically constructed query and executed by the server. Typically this would be used to overcome user authentication by substituting a WHERE clause that always evaluates to true, or using LIKE to match real user names etc. Alternatively, a malicious injection could delete tables and data, or just reveal your whole database schema through the use of SHOW and DESCRIBE. Under some circumstances a progressive attack could create new user accounts and roles and take over your whole db server, or just lock you out.

sneakyimp

Thanks for the shrewd and detailed advice. I have followed it and created a sandbox database to buffer my production data from the outsource work. all data is moved to and from this sandbox dbase before being sent off to contractors. i created a new user and granted it all priveleges on the sandbox database.

before i sent data and stub code to outsource guy, i changed all the table names (by changing the include file) and emptied out the username and password so the outsourcers will know neither my true database names, table names, usernames, or passwords.

that said, i still need to import their data into my database and they have delivered SQL files. i went ahead and did so using mysql from the command line.

now i'm interested in scrutinizing this data for SHOW, DESCRIBE, and GRANT statements. i'm particularly concerned about grant statements. problem is that the word "grant" appears several hundred times in my data.

can anyone suggest a way to search an SQL file (text) to locate this sort of syntax?

GRANT priv_type [(column_list)] [, priv_type [(column_list)]] ...
    ON {tbl_name | * | *.* | db_name.*}
    TO user [IDENTIFIED BY [PASSWORD] 'password']
        [, user [IDENTIFIED BY [PASSWORD] 'password']] ...
    [REQUIRE
        NONE |
        [{SSL| X509}]
        [CIPHER 'cipher' [AND]]
        [ISSUER 'issuer' [AND]]
        [SUBJECT 'subject']]
    [WITH [GRANT OPTION | MAX_QUERIES_PER_HOUR count |
                          MAX_UPDATES_PER_HOUR count |
                          MAX_CONNECTIONS_PER_HOUR count |
                          MAX_USER_CONNECTIONS count]]

REVOKE priv_type [(column_list)] [, priv_type [(column_list)]] ...
    ON {tbl_name | * | *.* | db_name.*}
    FROM user [, user] ...
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...