TechGenix and SolarWinds have partnered to provide a fully-functional, free 21-day trial version of SolarWinds ipMonitor, the WindowsNetworking.com Readers' Choice Award Winner for monitoring applications, servers, and network devices to all visitors who join Security Forums. Sign up to Security Forums and get your copy today! Existing members can pick up a copy from the Members Area.
| View previous topic :: View next topic |
| Author |
Message |
gossi
Just Arrived
Joined: 11 Mar 2004
Posts: 9
|
 Posted: Thu Mar 11, 2004 10:47 pm Post subject: Crafting MySQL injection exploits |
 |
|
Situation: Got a web application (PHP) that allows, via a parmeter it accepts, to insert this into a MySQL query.
The parameter you specify is appended to an already started MySQL query.
Question: Is there any way to terminate the existing query, or exit it gracefully? I want to run a completely different query.
|
|
| Back to top |
|
 |
Dunceor
Frequent Member
Joined: 05 Sep 2003
Posts: 219
Location: Sweden
|
| Posted: Thu Mar 11, 2004 10:53 pm Post subject: |
|
|
There is alot of exploits that do SQL injection on the net, find one of those and see what they do to get SQL to do what they want and you will find some answers...
_________________
http://www.puffy.nu/~dunceor
|
|
| Back to top |
|
|
gossi
Just Arrived
Joined: 11 Mar 2004
Posts: 9
|
| Posted: Thu Mar 11, 2004 11:11 pm Post subject: |
|
|
| Dunceor wrote: |
| There is alot of exploits that do SQL injection on the net, find one of those and see what they do to get SQL to do what they want and you will find some answers... |
In theory, fine.
In practice - try it.
You'll find tons of documention on MSSql injections... But I've yet to find anything decent on MySQL injections. The MS SQL stuff doesn't relate closely enough to be of use. It's a bit odd, really.
|
|
| Back to top |
|
|
UziMonkey
SF Reviewer
Joined: 19 Dec 2003
Posts: 559
|
| Posted: Thu Mar 11, 2004 11:37 pm Post subject: |
|
|
SQL injections all work on the same principal (lack of user input validation). Any of these papers will do, learn how to sneak quotes into your query string that get missed by the input validation (if there is any at all..) and that's most the battle.
_________________
Use Jabber instead
My JID: uzimonkey@jabber.org
"Whether freedom is going to survive at all is in doubt, but we've got to try" - RMS
The Blacksun Research Facility
|
|
| Back to top |
|
|
gossi
Just Arrived
Joined: 11 Mar 2004
Posts: 9
|
| Posted: Thu Mar 11, 2004 11:50 pm Post subject: |
|
|
| UziMonkey wrote: |
| SQL injections all work on the same principal (lack of user input validation). Any of these papers will do, learn how to sneak quotes into your query string that get missed by the input validation (if there is any at all..) and that's most the battle. |
That is, of course, what I've done... I'll level with you - the product is Invision Power Board (www.invisionboard.com).
They have produced a patch file for their product ssi.php. The patch file is to retify an SQL injection bug, which they haven't made clear...
The problem is caused by the variable 'f' they accept in the script. To give an example of a valid input;
blahblahblah.com/forum/ssi.php?a=out&f=1
They don't check if 'f' is an integer, and go on to add it into the SQL query in the code. Stupid mistake.
To give an example of what the sent MySQL query looks like;
| Code: |
SELECT t.*, f.name as forum_name, f.read_perms, f.password
FROM plonktopics t
LEFT JOIN plonkforums f ON ( f.id=t.forum_id )
WHERE t.forum_id IN (PROBLEM IS HERE)
AND t.approved=1 ORDER BY t.last_post DESC LIMIT 0, 10
|
Where "PROBLEM IS HERE", this is where the f= var is entered.
So, the question is, can we craft a query to abandon the already sent text, and run our own?
I've had a good go, and I've got nowhere... The challenge awaits.
|
|
| Back to top |
|
|
shakin
Frequent Member
Joined: 18 Jul 2003
Posts: 163
|
| Posted: Fri Mar 12, 2004 1:42 am Post subject: |
|
|
I don't think you can abandon a query because there's no character sequence tha means "everything before this is garbage". It would be stupid to even make something like that 
On MySQL 4.1 and up (once it goes final and people start using it) you can do subqueries, which means you can effectively do what you're trying to do.
_________________
shakin
|
|
| Back to top |
|
|
gossi
Just Arrived
Joined: 11 Mar 2004
Posts: 9
|
| Posted: Fri Mar 12, 2004 1:52 am Post subject: |
|
|
| shakin wrote: |
| On MySQL 4.1 and up (once it goes final and people start using it) you can do subqueries, which means you can effectively do what you're trying to do. |
That is quite evil 
Okay... So is there any way I could write the end of the query clean, and then start another query after the existing one? I don't think there is..
|
|
| Back to top |
|
|
Mongrel
Trusted SF Member
Joined: 30 May 2002
Posts: 1347
|
| Posted: Fri Mar 12, 2004 2:43 am Post subject: |
|
|
Read Rain Forest Puppy - and don't forget there are very few MySQL
servers - or ANY SQL servers for that matter - available directly on the
net so you need to first get past the front end - i.e wwwthreads or
whatever.
"How I hacked PacketStorm"
|
|
| Back to top |
|
|
shakin
Frequent Member
Joined: 18 Jul 2003
Posts: 163
|
| Posted: Fri Mar 12, 2004 6:28 am Post subject: |
|
|
| gossi wrote: |
| Okay... So is there any way I could write the end of the query clean, and then start another query after the existing one? I don't think there is.. |
You end a query with a semi-colon. You can try putting a semi-colon and then a second statement, but I don't think it will work.
Mongrel, what gossi is talking about is using SQL injection from the front end. A lot of PHP and ASP apps don't check paramaters to make sure they're valid and allow bad code to be inserted into the SQL statement. I think this is a problem with the way DB libraries take input. Java handles this better, but not perfect. Variable output (when the PHP or ASP engine takes the data and puts it into the query) should automatically be encoded to stop its contents from affecting the statement. PHP offers some pretty easy ways to do this manually, but too many developers fail to utilize these tools.
_________________
shakin
|
|
| Back to top |
|
|
Mongrel
Trusted SF Member
Joined: 30 May 2002
Posts: 1347
|
| Posted: Fri Mar 12, 2004 9:54 am Post subject: |
|
|
shakin - and did you read the article I linked?
RFP is or was - well - one of the best - and his
full disclosure policy makes for very interesting content.
Most interesting in-depth tutorial in MySql injection
which Gossi had been unable to locate!!
|
|
| Back to top |
|
|
|
