How to simulate SQL injection in NodeJS mysql

Question

I am using NodeJS with mysql for working with SQL database.

For school example I want to simulate SQL injection.

I wrote code with possible SQL injection:

const mysql = require('mysql')

const connection = mysql.createConnection({
    host: settings.DB_MYSQL_HOST,
    user: settings.DB_MYSQL_USER,
    password: settings.DB_MYSQL_PSW,
    database: settings.DB_MYSQL_DB,
})

let sql = 'DROP TABLE user;'
connection.query('DELETE FROM todos WHERE id = \'' + sql + '\'', (error) => {
                if (error) {
                    res.json({ res: error })
                    console.log('SQL ERROR')
                    console.log(error)
                    throw error
                }
                this._sendSucc(res)
})

But SQL injection not working. I want attack to table name 'user'.

Where is a problem? I am not using prepare statement.

Can you give me a example with SQL injection

Adder · Answer 1 · 2018-02-08T13:34:08.613

0

You have to change the update statement so that it becomes two working statements. This should do the trick:

let sql = '\';DROP TABLE user;-- '

It is closing the quote, adds the payload, and comments out the rest of the line using -- and a space.

However, as it turns out in Stacking queries in node.js mysql, node.js-mysql is protected against having more than one query in an sql statement. The most damage you can do is to modify the delete statement to delete all rows of the table.

let sql = '\' OR 1=1 -- '

Or you can switch on multiple statements, which seems like cheating:

const connection = mysql.createConnection({
    host: settings.DB_MYSQL_HOST,
    user: settings.DB_MYSQL_USER,
    password: settings.DB_MYSQL_PSW,
    database: settings.DB_MYSQL_DB,
    multipleStatements: true,
})

edited Feb 08 '18 at 13:34

answered Feb 08 '18 at 12:51

Adder

5,708
1
28
56

I am getting a sql error `{ Error: ER_PARSE_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''';DROP TABLE user;--''' at line 1` but db is still 'full' – nope123 Feb 08 '18 at 12:55
Try again with a space after the -- – Adder Feb 08 '18 at 12:56

score 0 · Answer 2 · answered Feb 08 '18 at 13:00

You are not "injecting" at all. All you do is instead of providing an id for your DELETE statement, you provide the string DROP TABLE user; . Your final statement (the one MySQL will see) looks like this:

DELETE FROM todos WHERE id = 'DROP TABLE user;'

What happens is, (assuming id is of type integer or something) that MySQL implicitly converts the string to a number. Since there's no number at the beginning of the text, the result is 0. The statement MySQL eventually executes is

DELETE FROM todos WHERE id = '0'

What you want to achieve with an SQL injection though, is to have two statements. So first you finish the statement MySQL expects, then you add your statement. The statement(s) you want MySQL to execute is something like

DELETE FROM todos WHERE id = 'foo'; DROP TABLE user;

So your string needs to look like

let sql = "foo'; DROP TABLE user;-- "

The final -- is added, to comment out the trailing ' and what else might follow.

How to simulate SQL injection in NodeJS mysql

2 Answers2