How to perform SQL injection attack on this code?

Question

In a local xampp server which I set up for development, I have a table like so:

CREATE TABLE `entries`
(

`id` int(10) UNSIGNED NOT NULL,

`title` varchar(100) NOT NULL,

`entry` text NOT NULL,

`date_entered` datetime NOT NULL

)

In order to learn how to secure my queries against SQL injections, I want to induce one (I am intentionally not using prepared statements). I have a query to insert an entry in this table like so:

$sql = 'insert into entries ( title , entry , date_entered ) '
    . 'values("'
    . $postTitle
    . '","'
    . $postEntry
    . '","'
    . $dateEntered
    . '")';

It works (it does insert entries in the table), but I failed to induce SQL injection attack against it. Here is what I tried to insert in the $postEntry field:

;drop table entries;
;drop table entries;'
';drop table entries;'
`;drop table entries;'
q';drop table entries;
q","e");drop table entries; --'
q","e");drop table entries;--

For the last value the SQL query became:

insert into entries ( title , entry , date_entered ) values("r","q","e");drop table entries;--","2016-08-18 10:35:36")

Still the entries table intact!

I modified the SQL string to use single quotes like so:

$sql = 'insert into entries ( title , entry , date_entered ) '
    . ' values(\''
    . $postTitle
    . '\',\''
    . $postEntry
    . '\',\''
    . $dateEntered
    . '\')';

Then tried:

q','2016-5-5');drop table entries; --'

But still no luck! How should I produce SQL injection attack then? note : the proposed duplicate is not duplicate and not even an answer . the whole point of this question is to demo the expoite so that i make sure the security measures are working.

mysqli_multi_query(); to execute multiple query separated by semi (;) colon — JYoThI, Aug 18 '16 at 11:31
In order to learn how to secure your queries against SQL injections, you have to learn how to secure your queries. While whatever injection stuff is totally irrelevant to protection. — Your Common Sense, Aug 18 '16 at 12:37
@Your-Common-Sense : in order to make sure that i am in the right direction i need to demonstrate that the -previously - exploitable code is now safe !! that is the point of the question . it is sad that some people does not get that. — EKanadily, Aug 18 '16 at 13:11
@Your-Common-Sense downvoted and labeled this question duplicate in order to promote his own question. — EKanadily, Aug 20 '16 at 16:04

Cagy79 · Answer 1 · 2016-08-18T11:34:38.813

1

Mysql does not allow multiple statements in one Query. That is why the Drop statements are ignored.

Use mysqli_multi_query() for multiple queries.

You could still use other injections here.

Try using

http://sqlmap.org/

to check the vulnerability of your code.

edited Aug 18 '16 at 11:34

answered Aug 18 '16 at 11:28

Cagy79

1,610
1
19
25

score 1 · Answer 2 · answered Aug 18 '16 at 11:42

You can probably insert more than a single value and spam the table but like someone said, you can't run multiple statements in a single query.

So for example, you could span the table by appending masses of additional submissions from a single post. You will need to work on this but at a guess you could try setting $postEntry to be:

poo'),'2016-5-6'),('poo','poooo','2016-5-5'),('poo','poooo

The idea being that the start of the $postEntry string first ends the original query correctly, then appends additional values and then ends at the point the original query was going to enclose a single quote around the value of $postEntry. You would need to set $postEntry to be exactly what I've typed.. I think.. :)

score 1 · Answer 3 · answered Aug 18 '16 at 12:23

I wasn't going to add anymore to my answer as I didn't want you to think I was a hacker :| but I guess to help you understand how a hacker might abuse your code I can show you another way.

For example, let's say I wanted to understand more about the system and how I could (potentially) reveal passwords, card data etc plus we are assuming I'd already found a weak point like the one you've created.

The basic premise is that I've found a weakpoint in a blog post screen and anything I post is a post I own or can see on the website after posting.

As a result, I can pretty much use the postEntry field as an output for showing the result of any SQL queries by manipulating the value of postTitle.

NOTE: I may have missed a single quote or something somewhere because I'm just typing this on the fly based on what I know could work so you'd need to mess with the theory slightly. I'm pretty sure though my code example could be copied and pasted.

Step 1). Reveal a list of the tables available to query. Set $postTitle (not entry) as follows:

poo',SELECT GROUP_CONCAT(TABLE_NAME) FROM INFORMATION_SCHEME.TABLES),'2016-5-5'),'poo

After submitting that (and assuming you are taking me to a page showing me my post) the main post area should contain a comma separated list of tables from the database

Step 2). Clean up Copy the list and instantly delete my post to decrease the alert status for anyone watching.

Step 3). Get table column names Use exactly the same method to create a SELECT statement that fetches all COLUMN names from a specific table of which the names I now know. I get a post that contains a comma separate list of columns for that table.

Step 4). Clean up again

Step 5). You can probably see where this is heading now So now I can pretty much select any data I want from any table by running a select statement and viewing the output on my post.

How to perform SQL injection attack on this code?

3 Answers3