MySQL injection attack: Proof of concept

Question

I have the following code in a client supplied block:

$user = $_POST['user'];

$sql = "SELECT * FROM users WHERE user = '" . $user . "'";

$dbh->query($sql);

Also, this code doesn't echo anything out to the screen currently, so it doesn't help me if I select multiple users. That doesn't visually show the client anything.

It's obvious to me that this is prone to injection, but I can't find a way to show the client how this would work. I tried dropping the table, but the ->query() seems to only allow one statement at a time.

Here's what I've tried so far ' OR 1=1; DROP TABLE users; SELECT * FROM users WHERE 1='1 but that doesn't work.

Yes, your SQL can be injected as well as forced to echo/dump information. Thanks for listing *What I have tried so far* but if thats the only thing you did to test, I promise it is not enough. — PenguinCoder, Jun 27 '12 at 20:42
Without being allowed 2 queries in 1 string, it's hard to turn a `SELECT` in an altering query except maybe for a `PROCEDURE` call at the end, but that would require a relevant `PROCEDURE` to be there. Personally, I find `' OR 1=1 FOR UPDATE UNION SELECT SLEEP(1000000000);` irritating enough (yay! immutable records, if your login also stores a 'last-login' column in the users table (or any other `UPDATE` to users... all logins will block for the duration of the sleep (or the kill of the query)). — Wrikken, Jun 27 '12 at 20:59
Hm, @kylex: [it seems to depend on the environment](http://stackoverflow.com/questions/6346674/pdo-support-for-multiple-queries-pdo-mysql-pdo-mysqlnd) — Wrikken, Jun 27 '12 at 21:29
Add a comment start ( -- ) at the end to prevent syntax errors on the injected query: `' OR 1=1; DROP TABLE users; --` — Sebastián Grignoli, May 13 '14 at 14:51

vearutop · Answer 1 · 2012-06-27T21:01:25.137

2

You can inject SLEEP(1000) multiple times to exhaust connections pool. Or you may use very complex expression to raise CPU load.

With lots of derived tables you may even run out of memory.

edited Jun 27 '12 at 21:01

answered Jun 27 '12 at 20:55

vearutop

3,924
24
41

score 1 · Accepted Answer · answered Jun 27 '12 at 20:43

You didn't really do enough to vet your database query. The method (without echos) in your script, is called blind injection and it it still very possible to achieve takeover or inject.

Try using an automatic SQL injection tool, such as SqlMap. You'll be surprised at the results, with your query. You can also try some examples from unixwiz against your query. While those are pretty specific to his target, the over all theory and proof behind it is sound.

score 0 · Answer 3 · answered Jun 27 '12 at 20:29

0

what about injecting the following:

"' OR 1'"

answered Jun 27 '12 at 20:29

dutron_labs

1
1

That doesn't really do anything to the database though. I need a way to alter the database, either resetting the user to be blank, or something where I can take a screenshot and say this is what can happen to your data. – kylex Jun 27 '12 at 20:31
For someone trying to get access to information they shouldn't be able to see, injecting the above will return all rows. That is yet still dangerous. – dutron_labs Jun 27 '12 at 20:50
Except the query doesn't return anything to the screen, so I'm not sure how I could view anything. – kylex Jun 27 '12 at 21:00

score 0 · Answer 4 · answered Jun 27 '12 at 20:59

0

Truncate ;

' or 1=1; truncate table users; --

Drop ;

 ' or 1=1; drop table users; --

can be done I think.

answered Jun 27 '12 at 20:59

esertbas

476
3
7

4

The `->query()` function doesn't allow multiple statements. – kylex Jun 27 '12 at 21:00

MySQL injection attack: Proof of concept

4 Answers4