-2

If there are two SQL in the same request handler as below:

select count(*) from user where id={$id};
select * from user where id={$id};

As the parameter 'id' is not filtered, so it's possible to do a sql injection. However as two sql return different number of columns, it would always return a sql error 'The used SELECT statements have a different number of columns' when try to use union.

Is it possible to do a successful sql injection in this case?

bjb568
  • 11,089
  • 11
  • 50
  • 71
bydsky
  • 1,604
  • 2
  • 14
  • 30
  • erm, would that matter if `$id` was `"1; DELETE user;"` – Jodrell May 28 '14 at 10:33
  • @Jodrell the stacked queries is not supported. – bydsky May 28 '14 at 10:34
  • 2
    I don't understand why people keep asking whether X construct or Y construct will allow them to continue performing string concatenation and avoid SQL injection. The right solution is to use parameters. This has been known for a long time, and practically any modern combination of language, libraries and databases allow you to use them. – Damien_The_Unbeliever May 28 '14 at 10:42
  • You can use the boolean-based technique. But does the second not get executed when the first failed? – Gumbo May 28 '14 at 10:42
  • @Damien_The_Unbeliever He is looking for a way to exploit it and not to prevent it. – Gumbo May 28 '14 at 10:43
  • @Gumbo - without more context, it's difficult to be sure of that. This may be a "if the internet tells me that this is unhackable, I'll do this in my code" kind of question. – Damien_The_Unbeliever May 28 '14 at 10:45
  • @Gumbo When the first failed, it directly returns the sql exception... – bydsky May 28 '14 at 11:33
  • @Damien_The_Unbeliever We bought a system, and it has this problem, so I want to know if this would cause a real problem, then I can ask them to fix it. – bydsky May 28 '14 at 11:34
  • 1
    If you bought a car with broken door lock you can ALWAYS return it, no matter if keep something valuable inside or not. User input into query IS a broken lock. – Your Common Sense May 28 '14 at 11:54

1 Answers1

1

SQL injection is not the question of whether it can be successfully exploited but whether the intention of an SQL command can be modified. And this is definitely the case here.

As for the exploitability, you can use the boolean-based technique:

123 AND EXISTS (SELECT 1 FROM mysql.user WHERE user='root' AND password LIKE '*235FBD5A943%')

So only if the root’s password hash begins with *235FBD5A943 the whole WHERE condition is true. With this boolean-based technique (additional condition true or false) you are able to read any accessible information using appropriate string functions.

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • I respect you for your knowledge but I hate you for this kind of help-script-kiddies-to-crack answers. – Your Common Sense May 28 '14 at 11:50
  • @YourCommonSense So what answer would you expect here? Like "yes, it is exploitable but I won’t tell you how"? Or would you just vote it to be closed as off-topic because you are afraid to tell people how to exploit it? – Gumbo May 28 '14 at 11:52
  • Yes, I am afraid to help script-kiddies. To make their tricks THAT easy. Let them at least learn SQL, if they want to crack. this especially applies to the SQL injection area as one don't need to know no particular injection technique to protect. – Your Common Sense May 28 '14 at 11:56
  • @YourCommonSense This vulnerability can surely be detected and exploited by sqlmap as well. Its exploitation is not that sophisticated that I would have revealed any advanced hacking techniques. – Gumbo May 28 '14 at 12:00