avi24k Posted August 5, 2015 Share Posted August 5, 2015 Hi All, I am testing a 2-tier thick client application which has a file upload functionality. The files are uploaded directly to the database, without any checks on the content and filetype. The database (mssql in this case) parses the file and present it back to the application viewer. Is there's any way I can abuse this functionality? Thanks. Regards, Avi Quote Link to comment Share on other sites More sharing options...
digininja Posted August 5, 2015 Share Posted August 5, 2015 Depends on a lot of things. What you mean by the database parsing it? What langauge is it written in? If interpreted then does it get passed through the interpreter before being rendered? Is it displayed in a browser, if so can you send HTML that gets rendered? Quote Link to comment Share on other sites More sharing options...
avi24k Posted August 5, 2015 Author Share Posted August 5, 2015 Hi, thanks for your reply. By parsing I meant the database interpret the text () in the file (.txt, .xml, xls) and puts into a table. This table is also view-able using the application (thick-client, non-http). The application itself is written in Delphi and communicates with the database directly (using connection string). Quote Link to comment Share on other sites More sharing options...
digininja Posted August 5, 2015 Share Posted August 5, 2015 Sounds that it is unlikely there is any direct vulnerability unless you can find a vulnerability in whatever is used to parse the files when the come out of the database and into the table. How good are you at parser fuzzing? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.