0

I want to make a quick and easy demonstration about how SQL injection work. And I've solved some of my problems. I have a table with random usernames, passwords and emails in, and I'm able to "inject" SQL code to view all of the users in a search with this injection:

' OR '1'='1

This is how my PHP code looks for searching for "members":

if (isset($_POST['search'])) {
    $searchterm = $_POST['searchterm'];
    echo $searchterm . '<br>';

    /* SQL query for searching in database */
    $sql = "SELECT username, email FROM Members where username = '$searchterm'";
    if ($stmt = $conn->prepare($sql)) {
        /* Execute statement */
        $stmt->execute();

        /* Bind result variables */
        $stmt->bind_result($name, $email);

        /* Fetch values */
        while ($stmt->fetch()) {
            echo "Username: " . $name . " E-mail: " . $email . "<br>";
        }
    } 
    else {
        die($conn->error);
    }
}

Now I want to demonstrate some more fatal problems, like someone truncating your whole table. So I tried this code in the search bar:

'; TRUNCATE TABLE Members; --

But I get this error message:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'TRUNCATE TABLE Members; -- '' at line 1

It seems like I get an extra ', but I don't know how to get rid of it, though the -- would comment that out. First I thought that the problem was that I had no whitespace behind the -- but adding a whitespace didn't make any difference.

I have tried switching to PDO, because I thought there was a problem with mysqli not accepting multiple queries, but then I somewhere read that PDO doesn't support that either, but I don't know.

Is there a way I can make it work?

I later found that PDO supports multi-querying by default, but when I tried it it didn't work. Maybe I bound the parameters wrong. But I couldn't even make a simple select query to work.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Addeuz
  • 35
  • 8
  • Something like `$searchterm = "' union select password, username from admins--";` should get you the passwords of the admins... if there is an `admins` table. I think if you turn off emulation on PDO it will not allow multiple queries. – user3783243 Jan 20 '19 at 17:28
  • [Is an SQL injection actually possible by adding a second query?](https://stackoverflow.com/questions/19666488/is-an-sql-injection-actually-possible-by-adding-a-second-query) – Dharman Jan 20 '19 at 17:33
  • https://stackoverflow.com/a/7414582/1839439 – Dharman Jan 20 '19 at 17:35

2 Answers2

2

mysqli_query() does not support multi-query by default. It has a separate function for that: mysqli_multi_query().

SQL injection is not only about running multiple statements, the famous XKCD cartoon notwithstanding.

Your code has a bad SQL injection vulnerability. Do you think that using prepare() somehow makes a query safe, even though you interpolate content from your $_POST request data directly into the SQL string?

Your code is this:

$searchterm = $_POST['searchterm'];

$sql = "SELECT username, email FROM Members where username = '$searchterm'";
if ($stmt = $conn->prepare($sql)) {
    /* execute statement */
    $stmt->execute();
    ...

It's easy for unsafe input to make SQL injection mischief this way. It might even be innocent, but still result in problems. Suppose for example the search is: O'Reilly. Copying that value directly into your SQL would result in a query like this:

SELECT username, email FROM Members where username = 'O'Reilly'

See the mismatched ' quotes? This won't do anything malicious, but it'll just cause the query to fail, because unbalanced quotes create a syntax error.

Using prepare() doesn't fix accidental syntax errors, nor does it protect against copying malicious content that modifies the query syntax.

To protect against both accidental and malicious SQL injection, you should use bound parameters like this:

$searchterm = $_POST['searchterm'];

$sql = "SELECT username, email FROM Members where username = ?";
if ($stmt = $conn->prepare($sql)) {
    $stmt->bind_param('s', $searchterm);
    /* execute statement */
    $stmt->execute();
    ...

Bound parameters are not copied into the SQL query. They are sent to the database server separately, and never combined with the query until after it has been parsed, and therefore it can't cause problems with the syntax.

As for your question about mysqli::query(), you may use that if your SQL query needs no bound parameters.

Re your comment:

... vulnerable to injection, so I can show the students how much harm a malicious attack may [do].

Here's an example:

A few years ago I was an SQL trainer, and during one of my trainings at a company I was talking about SQL injection. One of the attendees said, "ok, show me an SQL injection attack." He handed me his laptop. The browser was open to a login screen for his site (it was just his testing site, not the real production site). The login form was simple with just fields for username and password.

enter image description here

I had never seen his code that handles the login form, but I assumed the form was handled by some code like most insecure websites are:

$user = $_POST['user'];
$password = $_POST['password'];

$sql = "SELECT * FROM accounts WHERE user = '$user' AND password = '$password'";
// execute this query.
// if it returns more than zero rows, then the user and password
// entered into the form match an account's credentials, and the
// client should be logged in.

(This was my educated guess at his code, I had still not seen the code.)

It took me 5 seconds to think about the logic, and I typed a boolean expression into the login form for the username, and for the password, I typed random garbage characters.

I was then logged into his account — without knowing or even attempting to guess his password.

I won't give the exact boolean expression I used, but if you understand basic boolean operator precedence covered in any Discrete Math class, you should be able to figure it out.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
  • I read something about mysqli::multi_query() but I thought that defeat the whole purpose I thought. I'm doing this demonstration for students who have basic knowledge in PHP and it would feel weird to say something like: If you want to protect yourself from sql injection just don't use multi_query(). Also I'm not even using mysqli::query() I just now recognised is that something I should do? – Addeuz Jan 20 '19 at 17:34
  • Okay, thank you now I understand how to make it more secure. I'm sorry if my question was unclear but what I want is for it to be vulnerable to injection, so I can show the students how much harm a malicious attack may harm. What's the most insecure way of doing this? Doing multiple queries from the searchterm variable.. – Addeuz Jan 20 '19 at 18:30
0

Did you try something like this ?

'(here put something);

in this way you are going to close the query with ' and add other stuff to it, when you add ; everything else is going to be discarded

Jacopo Vendramin
  • 49
  • 4