Mysqli query Injection , how to inject the SQL query string?

StackOverflow https://stackoverflow.com/questions/21427197

Question

Let's consider i have this line of code

$result = $mysqli->query("SELECT  * from myTable where field='".$_GET['var']."');

IMHO this is vulnerable to SQL injections.

So I'd like to prove it trying by sending via Get / URL a "var" param that will inject the query, with potential malicious code.

I actually tryed this:

var = "1'; TRUNCATE myTable; ";

I tryed to print out the SQL string query before executing it and it's actually 2 SQL valid statements.

SELECT  * from myTable where field='1'; TRUNCATE myTable;

1st problem But actually itseems that mysqli->query will not execute 2 statements at once. Isn't it?

2nd problem I see that a common technique to Inject queries is to per form injection then add comment chars to get rid of the tail of the SQL. Example:

"SELECT  * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"

Can be injected with :

var = "1'; TRUNCATE myTable; # ";

But this problem arise and I'm missing the trick to get rid of it

if the SQL string in the code have new lines e.g. :

    "SELECT  * from myTable where field='".$_GET['var']."' 
     AND field2 IS NOT NULL"

If i use the above "var" the final result is

 SELECT  * from myTable where field='1'; TRUNCATE myTable; #  
     AND field2 IS NOT NULL

Second line won't be commented

How to test injection on this?

Many thanks.

Was it helpful?

Solution

1st problem But actually it seems that mysqli->query will not execute 2 statements at once. Isn't it?

That's right, if you want to execute multiple statements you need to use mysqli->multi_query. You can find a good explanation about multiple statements here: http://www.php.net/manual/en/mysqli.quickstart.multiple-statement.php

But this problem arise and I'm missing the trick to get rid of it

The problem arises because you are using multiple statements, and mysqli->query does not support them.

About your queries:

$result = $mysqli->query("SELECT  * from myTable where field='".$_GET['var']."');

You can inject this using for example 1' OR 1=1; that would return all entries of myTable on the query result.

"SELECT * from myTable where field='".$_GET['var']."' AND field2 IS NOT NULL"

Here you could use 1' OR 1=1 UNION ALL SELECT * FROM myTable WHERE '1'='1

Nowadays there are tools that can automatically check SQL injection for you, take a look at SQL Inject Me (Firefox Addon) for example.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top