0

The following is a textbook sql injection example: 

SELECT id FROM table WHERE username = '$username' AND password = '$password'

if your site doesn't protect against sql injection you can simply send in password = anything' OR 'x'='x as the input and login without a password. easy.

attacker can also pass in '; DROP TABLE table; to drop the table from the db. And of course if the sql connection does have DROP permission than it will not work. Also attackers probably want to get more benefits by doing something other than simply dropping your table.

So the question is can the attackers carry out attacks to do UPDATE on table, get the structure on all tables, list tables or db by only attacking this vulnerability?

p.s: not that I want to use it to attack people but I am kinda curious what could happen at worst on my db..

Shih-Min Lee
  • 9,350
  • 7
  • 37
  • 67

1 Answers1

1

Potentially, sure. If you can inject a DROP TABLE table; into the SQL statement that is executed, you could just as easily inject an UPDATE statement that modified whatever rows of whatever tables you'd like. You can also frequently add or modify a SELECT statement to show you information that you're interested in. For example, if you have a query like

select name
  from people
 where person_id = '$person'

you could inject something like

anything` union all select table_name from information_schema.tables

to produce a statement like

select name
  from people
 where person_id = 'anything'
union all
select table_name
  from information_schema.tables

to show you all the tables. You can do the same sort of thing to get a list of columns in the tables and then start running queries to see what data is in the various tables.

Justin Cave
  • 227,342
  • 24
  • 367
  • 384
  • got it. but in most cases it won't return the query results to you. like query is maybe just a medium step toward login so you're logged when the injection is successful. also DROP table is like when you know the site stops working then you know the injection works. so can they still, say, query and the the entire db information this way? – Shih-Min Lee Sep 05 '15 at 13:06
  • @Shih-MinLee - I'm not sure I understand the question. Most pages run at least one query that shows information to the user. If you can inject any of those pages, you can realistically get any information out of the database that the application has access to. It may be a bit more cumbersome than if you could just log in to the database and write arbitrary queries. But you can get the list of tables and columns and then start running queries to extract whatever information you want. – Justin Cave Sep 05 '15 at 13:09
  • for many use cases the query is one intermediate step toward later pages. take login for example, the process is query for a match => login you in and redirect for you when the profile is found server will give you a 401 or 500 status when the credentials are incorrect . in both cases you won't see the intermediate query results.. ? – Shih-Min Lee Sep 06 '15 at 03:15
  • Where did the closing `'` from the original statement go? – Gumbo Sep 06 '15 at 06:15
  • 1
    @Shih-MinLee - Of course, there exist queries that you wouldn't inject to extract data. You'd inject the login query to let you log in without an account or to change the password of an admin account or to add a new admin account. You'd inject other queries (those that return data) in the system to extract data from the system. Of course, even intermediate steps often leak information. If you induce an error, the error message and error stack often give you clues about what database is being used, the application stack, etc. – Justin Cave Sep 06 '15 at 18:10
  • Got it. So if the website has many endpoints doing sql query or updates then it seems really easy that you have at least 1 vulnerability in your site so people can attack you then.. – Shih-Min Lee Sep 07 '15 at 01:45