1

This is a follow-up to this question: Is PHP's addslashes vulnerable to sql injection attack? (thanks to everyone that replied over there).

Same scenario, but I have this code (in another page):

             $ID = $_GET['id'];
             $sql = "SELECT * FROM blog WHERE id='$ID'";
             $result = mysql_query($sql);

This should be easy enough to exploit, right?

If I remember correctly I CANNOT run a second query inside mysql_query() but I should be able to do some other malicious stuff, right? Would love to be able to insert a user into the admin table or change a password or something, but I assume I wouldn't be able to do anything other than touch the blog table. Is that correct? Any suggestions on how I can play around and tweak something to prove that there are concerns?

Community
  • 1
  • 1
k10
  • 109
  • 2
  • 6
  • Please avoid extraneous references to other questions. – jsalonen Dec 01 '11 at 11:58
  • @Marco - "mysql_query() sends a unique query (multiple queries are not supported)" (source: http://php.net/manual/en/function.mysql-query.php) – Steve Rukuts Dec 01 '11 at 11:59
  • Some (93!) interesting slides on [Advanced SQL Injection](http://www.slideshare.net/amiable_indian/advanced-sql-injection) on Slideshare. – Cylindric Dec 01 '11 at 12:06
  • this question smells. we have no proof that it is actually a security audit (performed by someone who have no idea on security at all) – Your Common Sense Dec 01 '11 at 12:57
  • @col - thats the exact reason i am here asking you guys. i haven't done a security audit before, though i have done web development, and i have a client that has asked me to do update their site with best practices. their request was that i show them a vulnerability. i did a bunch of google research but was unable to come up with anything that would prove my point. you guys gave me enough to do what i needed to do though, and i appreciate that. – k10 Dec 01 '11 at 13:04

2 Answers2

6

It's called UNION and allows you to pull from extra tables by using a second query.

I'm guessing something like 1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1 would work. (pulls from the users table and maps the username and password values to their blog "equivalents").

Tom van der Woerdt
  • 29,532
  • 7
  • 72
  • 105
  • UNION definitely helped. I was unsure of the construct in this scenario, but I appreciate the nudge in the right direction. – k10 Dec 01 '11 at 13:04
-2

I don't think anyone would think you're trying to hack someone - this is a legitimate question.

You can't run a second query here, but you could do something malicious. For example if the query were an authentication query like so:

SELECT * FROM `users` WHERE `username` = '$username' AND `password` = '$password';

You could quite easily log in with ' OR 1 = 1 and gain access to the website.

Also, if the query was a DELETE or UPDATE query you could probably manipulate it to run without a WHERE clause.

Steve Rukuts
  • 9,167
  • 3
  • 50
  • 72
  • 1
    Actually, you can run a second query. – Tom van der Woerdt Dec 01 '11 at 11:58
  • "mysql_query() sends a unique query (multiple queries are not supported)" (source: http://php.net/manual/en/function.mysql-query.php). If that's wrong, forgive me for going by what the PHP manual says. – Steve Rukuts Dec 01 '11 at 12:00
  • You can use `UNION` - it's a SQL thing that allows you to execute multiple queries. – Tom van der Woerdt Dec 01 '11 at 12:03
  • Ah, I didn't realise you counted that as a second query. I was talking about the classic SQL injection attack which most libraries make redundant now, in which you log in to a site with `'; DROP TABLE users; --` – Steve Rukuts Dec 01 '11 at 12:05