• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Crafting MySQL injection exploits

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
gossi
Just Arrived
Just Arrived


Joined: 11 Mar 2004
Posts: 0


Offline

PostPosted: Thu Mar 11, 2004 10:47 pm    Post subject: Crafting MySQL injection exploits Reply with quote

Situation: Got a web application (PHP) that allows, via a parmeter it accepts, to insert this into a MySQL query.

The parameter you specify is appended to an already started MySQL query.

Question: Is there any way to terminate the existing query, or exit it gracefully? I want to run a completely different query.
Back to top
View user's profile Send private message MSN Messenger
Dunceor
Just Arrived
Just Arrived


Joined: 05 Sep 2003
Posts: 4
Location: Sweden

Offline

PostPosted: Thu Mar 11, 2004 10:53 pm    Post subject: Reply with quote

There is alot of exploits that do SQL injection on the net, find one of those and see what they do to get SQL to do what they want and you will find some answers...
Back to top
View user's profile Send private message Visit poster's website
gossi
Just Arrived
Just Arrived


Joined: 11 Mar 2004
Posts: 0


Offline

PostPosted: Thu Mar 11, 2004 11:11 pm    Post subject: Reply with quote

Dunceor wrote:
There is alot of exploits that do SQL injection on the net, find one of those and see what they do to get SQL to do what they want and you will find some answers...


In theory, fine.

In practice - try it.

You'll find tons of documention on MSSql injections... But I've yet to find anything decent on MySQL injections. The MS SQL stuff doesn't relate closely enough to be of use. It's a bit odd, really.
Back to top
View user's profile Send private message MSN Messenger
UziMonkey
SF Reviewer
SF Reviewer


Joined: 19 Dec 2003
Posts: 5


Offline

PostPosted: Thu Mar 11, 2004 11:37 pm    Post subject: Reply with quote

SQL injections all work on the same principal (lack of user input validation). Any of these papers will do, learn how to sneak quotes into your query string that get missed by the input validation (if there is any at all..) and that's most the battle.
Back to top
View user's profile Send private message Visit poster's website
gossi
Just Arrived
Just Arrived


Joined: 11 Mar 2004
Posts: 0


Offline

PostPosted: Thu Mar 11, 2004 11:50 pm    Post subject: Reply with quote

UziMonkey wrote:
SQL injections all work on the same principal (lack of user input validation). Any of these papers will do, learn how to sneak quotes into your query string that get missed by the input validation (if there is any at all..) and that's most the battle.


That is, of course, what I've done... I'll level with you - the product is Invision Power Board (www.invisionboard.com).

They have produced a patch file for their product ssi.php. The patch file is to retify an SQL injection bug, which they haven't made clear...

The problem is caused by the variable 'f' they accept in the script. To give an example of a valid input;

blahblahblah.com/forum/ssi.php?a=out&f=1

They don't check if 'f' is an integer, and go on to add it into the SQL query in the code. Stupid mistake.

To give an example of what the sent MySQL query looks like;

Code:
SELECT t.*, f.name as forum_name, f.read_perms, f.password
             FROM plonktopics t
              LEFT JOIN plonkforums f ON ( f.id=t.forum_id )
            WHERE t.forum_id IN (PROBLEM IS HERE)
             AND t.approved=1 ORDER BY t.last_post DESC LIMIT 0, 10


Where "PROBLEM IS HERE", this is where the f= var is entered.

So, the question is, can we craft a query to abandon the already sent text, and run our own?

I've had a good go, and I've got nowhere... The challenge awaits.
Back to top
View user's profile Send private message MSN Messenger
shakin
Just Arrived
Just Arrived


Joined: 18 Jul 2003
Posts: 0


Offline

PostPosted: Fri Mar 12, 2004 1:42 am    Post subject: Reply with quote

I don't think you can abandon a query because there's no character sequence tha means "everything before this is garbage". It would be stupid to even make something like that Smile

On MySQL 4.1 and up (once it goes final and people start using it) you can do subqueries, which means you can effectively do what you're trying to do.
Back to top
View user's profile Send private message Send e-mail
gossi
Just Arrived
Just Arrived


Joined: 11 Mar 2004
Posts: 0


Offline

PostPosted: Fri Mar 12, 2004 1:52 am    Post subject: Reply with quote

shakin wrote:
On MySQL 4.1 and up (once it goes final and people start using it) you can do subqueries, which means you can effectively do what you're trying to do.


That is quite evil Laughing

Okay... So is there any way I could write the end of the query clean, and then start another query after the existing one? I don't think there is..
Back to top
View user's profile Send private message MSN Messenger
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Fri Mar 12, 2004 2:43 am    Post subject: Reply with quote

Read Rain Forest Puppy - and don't forget there are very few MySQL
servers - or ANY SQL servers for that matter - available directly on the
net so you need to first get past the front end - i.e wwwthreads or
whatever.

"How I hacked PacketStorm"
Back to top
View user's profile Send private message
shakin
Just Arrived
Just Arrived


Joined: 18 Jul 2003
Posts: 0


Offline

PostPosted: Fri Mar 12, 2004 6:28 am    Post subject: Reply with quote

gossi wrote:
Okay... So is there any way I could write the end of the query clean, and then start another query after the existing one? I don't think there is..


You end a query with a semi-colon. You can try putting a semi-colon and then a second statement, but I don't think it will work.

Mongrel, what gossi is talking about is using SQL injection from the front end. A lot of PHP and ASP apps don't check paramaters to make sure they're valid and allow bad code to be inserted into the SQL statement. I think this is a problem with the way DB libraries take input. Java handles this better, but not perfect. Variable output (when the PHP or ASP engine takes the data and puts it into the query) should automatically be encoded to stop its contents from affecting the statement. PHP offers some pretty easy ways to do this manually, but too many developers fail to utilize these tools.
Back to top
View user's profile Send private message Send e-mail
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Fri Mar 12, 2004 9:54 am    Post subject: Reply with quote

shakin - and did you read the article I linked?
RFP is or was - well - one of the best - and his
full disclosure policy makes for very interesting content.

Most interesting in-depth tutorial in MySql injection
which Gossi had been unable to locate!!
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register