1

I am trying to find a way to merge a select query and an update withing the same instruction on a MySQL server. This might sound as a repeated question, but my need is different from my predecessors.

I actuality looking for a single SQL instruction, as I cannot use transactions or split them in two. The goal is to bypass a security measure that only allows one select query to pass through. This is not for anything illegal, this is for a security class on my university, the goal is to bypass a tailored system, which was specially made vulnerable to SQL injection. I can perform the injections and make any select, login with injections and so on, but this part with the update was left as a challenge.

I tried everything I could image, looking for a way to mix them, I even thought about putting a Update statement on a inner query, but the syntax was obviously wrong.

Any thoughts? If not possible, suggestions on how to attack the target and produce an update are more than welcome.

Here is a long shot, it is obviously wrong, but I thought it might help to understand what I am trying to achieve:

SELECT *
FROM user
WHERE (name = 'admin') and exists (
UPDATE user
SET pass='test'
WHERE name='peter');-- OR email = 'admin') AND pass = ’t’..

Target:

$sel1 = mysql_query ("SELECT ID, name, locale, lastlogin, gender,
        FROM USERS_TABLE
        WHERE (name = ’$user’ OR email = ’$user’) AND pass = ’$pass’");

Update: I accepted the answer that was closer to a 'not possible'. But further search on the matter led to the conclusion that this was more about the API used for the connector then a DBMS security feature itself, this is actually because of the DBMSs and acceptable uses and syntax.

On the question about a way of embedding an UPDATE statement on a SELECT, I found this to be not possible - at lest to the extend of my knowledge.

About the attack, it could be possible to use stacked statements, when the programmer uses and API that allows such thing - which is rare, but existent. Concluding, the whole thing seems to be had to accomplish.

Victor
  • 3,520
  • 3
  • 38
  • 58
  • you need to include your queries if you want any help at all – pala_ May 01 '15 at 05:38
  • I was more like looking for a syntax..but I will put a example here in a sec, it might help.. – Victor May 01 '15 at 05:41
  • well you can use a select statement as the source of values for an update statement, in general terms. – pala_ May 01 '15 at 05:42
  • `UPDATE user SET pass='test' WHERE name in (SELECT * FROM user);` – Abhishek Ghosh May 01 '15 at 05:48
  • 1
    Unless you can inject another statement, you are limited to the [capabilities of the existing statement](http://stackoverflow.com/a/15732682/53114) you inject into. – Gumbo May 01 '15 at 05:48
  • @AbhishekGhosh I cannot invert, the select part of the statement comes from the application layer. I need to inject code on it. – Victor May 01 '15 at 05:50
  • @Gumbo, unfortunately that seems to be the case here. A single statement can be used. I can, nevertheless, inject several times. – Victor May 01 '15 at 05:53
  • I am thinking, maybe some write and load, that I dont know of. – Victor May 01 '15 at 05:54
  • Then take a look at the corresponding [statement syntax](http://dev.mysql.com/doc/refman/5.6/en/sql-syntax-data-manipulation.html) and the syntax components following the injection point for the possible exploitation capabilities. – Gumbo May 01 '15 at 06:01
  • Still nothing to add. You can’t modify data from a SELECT. – Gumbo May 01 '15 at 08:37

1 Answers1

1

I am not familiar with MySQL but from my SQL Server experience I can tell you that you cannot combine a SELECT and UPDATE statements both in a single query.

Moreover - any modern database system should be smart enough to prevent you if you are trying to sneak in a database UPDATE using a SELECT statement and thus circumventing your DB permissions.

I am sure MySQL will not be dumb to allow you an update if you are bundling it with SELECT query - not to say that it is possible.

Thus in my point of view - you may be chasing a dead end here which is not allowed/possible.

Bhavesh Odedra
  • 10,990
  • 12
  • 33
  • 58
murtazat
  • 399
  • 3
  • 12
  • Thank you @murtazat, I was afraid of that. The problem is that on the terminal or interacting through some sort of interface, we are generally able to build transactions and send several statements, of course. I agree with you, and I actually thing this might be the case. But, people come up with weird ways and functions when bypassing those mechanisms - I thought it would be worth to ask. – Victor May 01 '15 at 06:01