3

The SQL Injection on INSERT as described here doesn't seem to work with MySQL. SQL injection on INSERT

When I use this statement:

INSERT INTO COMMENTS VALUES('122','$_GET[value1]');

With this as the 'value1' variable value:

'); DELETE FROM users; --

This error gets returned:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM users; --')' at line 1

What's wrong???

PS: Someone suggested me to do an SQL injection with this as variable value:

',(SELECT group_concat(table_name) FROM information_schema.tables INTO OUTFILE '/var/www/tables.txt'))-- -

But it didn't work either, and returned a syntax error.

Community
  • 1
  • 1
user857123
  • 31
  • 1
  • 3
  • It would be helpful to actually see a printout of the actual SQL. Not just what you think it is. At the very least, the PHP code you're using, since what you've shown should work. – vol7ron Jul 22 '11 at 02:04
  • I tried this PHP code: With this input: sqlinjectiontest.php?value1=');%20DELETE%20FROM%20users;%20-- – user857123 Jul 22 '11 at 02:51
  • put it in your question, not in the comment – vol7ron Jul 22 '11 at 03:10
  • When using arrays in a string, you need to wrap the expression in {} `...'{$_GET[value1]}'...` – τεκ Jul 22 '11 at 12:57

2 Answers2

3

Your injection turns a single SQL statement (INSERT ...) into multiple SQL statements (INSERT ...; DELETE ...).

However, the PHP mysql API does not support multiple statements in a single query. (The underlying MySQL C API must be explicitly instructed to support this functionality, which your bindings do not do.)

pilcrow
  • 56,591
  • 13
  • 94
  • 135
  • So, you are actually writting that you can't do a SQL injection like this without opening the file, edit it and save it again. Something that isn't possible in a real world SQL injection. – user857123 Jul 22 '11 at 03:48
  • I'm sorry, I quite don't understand that comment. The MySQL C API as typically used, and the PHP bindings in particular, will not accept multiple statements in a single query. – pilcrow Jul 22 '11 at 03:51
2

As @pilcrow points out, mysql_query will only accept a single statement. Your example is actually two statements:

INSERT INTO COMMENTS VALUES('122','value');

and:

DELETE FROM users;

The PHP mysql API will reject this immediately, so you can't use that to test SQL injection.

Another problem with the statement is the use of comment characters. The MySQL Comment Syntax states that:

From a “-- ” sequence to the end of the line. In MySQL, the “-- ” (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on). This syntax differs slightly from standard SQL comment syntax, as discussed in Section 1.8.5.5, “'--' as the Start of a Comment”.

So you have to have whitespace after the --. If you use # instead, no following whitespace is required.

A simpler and safer way to begin your SQL injection testing is to try a simple SELECT:

$value = "1' OR 1; -- ";
$sql = "SELECT * FROM mytable WHERE id = '$value'";

print "$sql\n";
// SELECT * FROM mytable WHERE id = '1' OR 1; #'

$result = mysql_query($sql,$con);

// Should return multiple rows (if your table has multiple rows):
while ($row = mysql_fetch_assoc($result)) {
    print "{$row['id']}\n";
}

As the PHP mysql API rejects multiple statements, some of the more commonly used examples of SQL injection won't work, and that's a good thing. However, as you can see from the simple example above, it doesn't prevent other forms on SQL injection.

Think how a statement like this could be affected:

DELETE FROM mytable WHERE id = '1'

Also bear in mind that deleting data is probably not of much use to anyone other than a malicious hacker who just wants to cause disruption. Obtaining confidential data to which you are not supposed to have access, on the other hand, may be very useful.

Mike
  • 21,301
  • 2
  • 42
  • 65