开发者

SQL Injection on INSERT

问答 作者:

I'm currently testing Vulnerabiltys to SQL Injections for my companys application as an it-trainee.

So I found, that the application is indeed vulnerable to injections because I can alter some of the insert statements.

So I altered the insert Statement to this:

INSERT INTO tablename( column, column1, column2, column3, column4,column5, column6, column7, column8 ) 
VALUES ( 10965972, 185796154, 25, 23,2023, '', CURRENT_DATE, 'v0201100',
18); 

DELETE * 
  FROM tablename;-- , 2023,'a', CURRENT_DATE, 'v0201100', 18 )

I thought this should be a correct statement, but the MySQL Server returned this Error: MySQL Error: 1064 (You have an error in your SQL syntax;[...]

Would be nice if somebody could help and tell my why the sy开发者_StackOverflow社区ntax is wrong...

Thanks for your help :-)

Edit: Thanks for all your answers. :) Unfortunatly the * wasn't the Problem. I tried to execute the statement (statement is executed by php) without the delete part so the statement looks like this:

[...] VALUES( 10963455, 182951959, 23, 23,2023, '', CURRENT_DATE, 'v0201100', 18)--, 2023, '', CURRENT_DATE, 'v0201100', 18 )

But even then the MySQL Server returned the Same Error. Here is the Full Error Message:

MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--, 2023, '', CURREN' at line 17) Session halted.

Would really appreciate it if anyone knew the problem.

If that sample chunk of query is executed in a SINGLE ->query() call, MySQL's driver doesn't allow multiple queries within a single query call. It eliminates the bobby tables type injection attacks, but doesn't prevent injecting values that would manipulate where clauses and whatnot.

Having a look at the MySQL spec for DELETE, there is no suggestion that you can include * immediately proceeding the DELETE statement. Try removing it.

The * is used in a select statement to select all columns. Specifying it here makes no sense, as you are deleting rows.

I believe the -- commented-out line will be ignored by the parser (I would certainly expect it to be), so that bit of code should be ok. If in doubt remove it as a test.

When I split your sql statement on multiple lines using ; as seperator, I get:

1) VALUES( 10965972, 185796154, 25, 23,2023, '', CURRENT_DATE, 'v0201100', 18);
2) DELETE * FROM tablename;
3) -- , 2023, 'a', CURRENT_DATE, 'v0201100', 18 )

To me, 3) doesn't look like valid sql to me...

MySQL doesn't allow a delete query without a where statement. You can use:

DELETE * FROM tablename WHERE 1 = 1

You may also have to remove the * after delete, it doesn't look like MySQL supports that.

@freddy: DELETE * FROM tablename should be DELETE FROM tablename.

ANSI SQL definition for DELETE statements does not include an asterix *

Try, DELETE FROM tablename

Additionally you are using a SQL-Injection. The reason why SQL-Injections are possible at your company is a secret (just use preapred statements), but this isn't the question. Most SQL-Injections are caused by using mysql_query() without filtering/escaping. mysql_query() allows only 1 query. There has to be mysql_multi_query() if this should work. Modifying data in SELECT-Statements is prohibited by MySQL.

继续阅读:sqlsql-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9