Waraxe IT Security Portal
Login or Register
March 11, 2025
Members List
IRC chat
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
Sql Char Encoder
y3dips ITsec
Md5 Cracker
User Manuals
Recommend Us
Your Account
User Info
Welcome, Anonymous

Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 76
Members: 0
Total: 76
Full disclosure
SEC Consult SA-20250226-0 :: Multiple vulnerabilities in Siemens A8000 CP-8050 & CP-8031 PLC
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client
MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client
Self Stored XSS - acp2sev7.2.2
Python's official documentation contains textbook example of insecure code (XSS)
Re: Netgear Router Administrative Web Interface Lacks Transport Encryption By Default
Monero 18.3.4 zero-day DoS vulnerability has been droppedpublicly on social network.
Netgear Router Administrative Web Interface Lacks Transport Encryption By Default
[CVE-2024-54756] GZDoom <= 4.13.1 Arbitrary Code Execution viaMalicious ZScript
Re: Text injection on https://www.google.com/so rry/index via ?q parameter (no XSS)
SEC Consult SA-20250211-0 :: Multiple vulnerabilities in Wattsense Bridge
APPLE-SA-02-10-2025-2 iPadOS 17.7.5
APPLE-SA-02-10-2025-1 iOS 18.3.1 and iPadOS 18.3.1
CVE-2024-55447: Access Control in Paxton Net2 software (update)
ChatGPT AI finds "security concern" (XSS) in DeepSeek's code
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Tricky SQL attack vector- need a tip
Post new topicReply to topic View previous topic :: View next topic
Tricky SQL attack vector- need a tip
PostPosted: Fri Jan 23, 2009 6:47 pm Reply with quote
Joined: Jan 23, 2009
Posts: 3

Ok, here's the setup: I can insert table names, and so on, but these queries are pretty hostile from what I can tell to SQL injection. There is NO escaping at all, so I can put in whatever I want. If any queries fail, no error is returned at all! The only output are the queries themselves. This script is meant to be accessed via AJAX, that is, the user is not meant to see the output. The programmer has forgotten to turn off his/her debug output, and also has forgotten to validate input!

Server is MySQL running on the mysql PHP extension.

Here's the queries exactly as they are output by the script:

[[ UPDATE ab_eq_'foo' SET ab_saved = 2 WHERE user_id = -1 AND ab_saved = 1 ]]
[[ DELETE FROM ab_eq_'foo' WHERE ab_saved = 0 AND user_id = -1 ]]
[[ UPDATE mg_inv_'foo' SET is_eq = 0 WHERE is_eq IN (1,2) AND user_id = -1 ]]

I've put 'foo' right where I can insert any string. There is one exploitable input to these queries, and it's the same value repeated three times (as shown by the 'foo').

These queries are run consecutively. There appears to be no way to run them individually or in any other order.

Any tips?

Last edited by spinsati on Sun Jan 25, 2009 7:25 pm; edited 2 times in total
View user's profile Send private message
Re: Tricky SQL attack vector- need a tip
PostPosted: Fri Jan 23, 2009 9:15 pm Reply with quote
Valuable expert
Valuable expert
Joined: Nov 19, 2008
Posts: 261

spinsati wrote:
Ok, here's the setup: I can insert table names, and so on, but these queries are pretty hostile from what I can tell to SQL injection. There is NO escaping at all, so I can put in whatever I want. If any queries fail, no error is returned at all! The only output are the queries themselves.

Server is MySQL running on the mysql PHP extension.

Here's the queries exactly as they are output by the script:

[[ UPDATE ab_eq_{FOO ='= BAR} SET ab_saved = 2 WHERE user_id = -1 AND ab_saved = 1 ]][[ DELETE FROM ab_eq_{FOO ='= BAR} WHERE ab_saved = 0 AND user_id = -1 ]][[ UPDATE mg_inv_{FOO ='= BAR} SET is_eq = 0 WHERE is_eq IN (1,2) AND user_id = -1 ]]

I've put {FOO ='= BAR} right where I can insert any string. These queries are run consecutively. There appears to be no way to run them individually or in any other order.

Any tips?
These can't all be in one query because MySQL prohibits joining queries of different types (aka you can't use DELETE in the same query you use SELECT and you can't use UPDATE in the same one you use INSERT). So the first to realize is that it has got to be a bunch of different queries.
View user's profile Send private message
PostPosted: Fri Jan 23, 2009 10:54 pm Reply with quote
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu

If Mysql version is >= 4.1 with subqueries support, then you can use blind injection in UPDATE, DELETE, INSERT and other queries.
View user's profile Send private message Send e-mail Visit poster's website
Re: Tricky SQL attack vector- need a tip
PostPosted: Sun Jan 25, 2009 7:23 pm Reply with quote
Joined: Jan 23, 2009
Posts: 3

tehhunter wrote:
So the first to realize is that it has got to be a bunch of different queries.

Yes, I realized that they're not one query, because the PHP mysql extension doesn't allow query stacking.

The interesting thing to note is that there is one input which gets placed in all the queries. So if I enter 'foo', then that value gets put in all the queries.

This programmer wanted to save some time by having dynamic table names, but he/she forgot to validate the input, thus I was able to discover the vulnerability.

Unfortunately, blind sql injection is tricky since I don't know: a.) the entire table schema, and b.) absolutely NO errors are output if any query fails.

I do know that this database also has phpBB tables, but again, I don't know if I can extend these queries enough to influence them.
View user's profile Send private message
PostPosted: Sun Jan 25, 2009 8:26 pm Reply with quote
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu

As for missing feedback - use blind injection with BENCHMARK() or SLEEP(). And database schema can be guessed or in case of mysql ver. 5.x there is INFORMATION_SCHEMA Smile
View user's profile Send private message Send e-mail Visit poster's website
Tricky SQL attack vector- need a tip
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic

Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.044 Seconds