Comment Injection Attack
Contributor(s): KristenS, Jeff Williams, Alan Jex, kingthorin
Comments injected into an application through input can be used to compromise a system. As data is parsed, an injected/malformed comment may cause the process to take unexpected actions that result in an attack.
The attacker may conduct this kind of attack with different programming or scripting languages:
If the attacker has the ability to manipulate queries which are sent to
the database, then they’re able to inject a terminating character too. The
aftermath is that the interpretation of the query will be stopped at the
SELECT body FROM items WHERE id = $ID limit 1;
Let’s assume that the attacker has sent via the GET method the following
data stored in variable
"1 or 1=1; #"
In the end the final query form is:
SELECT body FROM items WHERE id = 1 or 1=1; # limit 1;
# character everything will be discarded by the database
limit 1, so only the last column
body with all its
records will be received as a query response.
Sequences that may be used to comment queries:
- MS SQL:
- MS Access:
To comment out some parts of the queries, the attacker may use the standard sequences, typical for a given language, or terminate the queries using their own methods being limited only by their imagination. An interesting example is a null byte method used to comment out everything after the current query in MS Access databases. More information about this can be found in Embedding Null Code .
Shell (bash) also has the character
#, which terminates
For example (find.php):
<? $ =sth $_GET['what]; system("/usr/bin/find -name '$sth' -type f"); ?>
/find.php?what=*'%20%23* the attacker will bypass limitation
*-type f* and this command:
/usr/bin/find -name '*' -type f
/usr/bin/find -name '*' #-type f
So the final form of the command is:
/usr/bin/find -name '*'
If there are no restrictions about who is able to insert comments, then using the start comment tags:
it’s possible to comment out the rest of displayed content on the website (invisible.php)
<?php print "hello!: "; print $_GET['user']; print " Welcome friend!"; ?>
There result will be: