|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Tricky SQL attack vector- need a tip |
|
Posted: Fri Jan 23, 2009 6:47 pm |
|
|
spinsati |
Beginner |
|
|
Joined: Jan 23, 2009 |
Posts: 3 |
|
|
|
|
|
|
|
Ok, here's the setup: I can insert table names, and so on, but these queries are pretty hostile from what I can tell to SQL injection. There is NO escaping at all, so I can put in whatever I want. If any queries fail, no error is returned at all! The only output are the queries themselves. This script is meant to be accessed via AJAX, that is, the user is not meant to see the output. The programmer has forgotten to turn off his/her debug output, and also has forgotten to validate input!
Server is MySQL running on the mysql PHP extension.
Here's the queries exactly as they are output by the script:
Code: |
[[ UPDATE ab_eq_'foo' SET ab_saved = 2 WHERE user_id = -1 AND ab_saved = 1 ]]
[[ DELETE FROM ab_eq_'foo' WHERE ab_saved = 0 AND user_id = -1 ]]
[[ UPDATE mg_inv_'foo' SET is_eq = 0 WHERE is_eq IN (1,2) AND user_id = -1 ]]
|
I've put 'foo' right where I can insert any string. There is one exploitable input to these queries, and it's the same value repeated three times (as shown by the 'foo').
These queries are run consecutively. There appears to be no way to run them individually or in any other order.
Any tips? |
|
Last edited by spinsati on Sun Jan 25, 2009 7:25 pm; edited 2 times in total |
|
|
|
|
|
Re: Tricky SQL attack vector- need a tip |
|
Posted: Fri Jan 23, 2009 9:15 pm |
|
|
tehhunter |
Valuable expert |
|
|
Joined: Nov 19, 2008 |
Posts: 261 |
|
|
|
|
|
|
|
spinsati wrote: | Ok, here's the setup: I can insert table names, and so on, but these queries are pretty hostile from what I can tell to SQL injection. There is NO escaping at all, so I can put in whatever I want. If any queries fail, no error is returned at all! The only output are the queries themselves.
Server is MySQL running on the mysql PHP extension.
Here's the queries exactly as they are output by the script:
Code: |
[[ UPDATE ab_eq_{FOO ='= BAR} SET ab_saved = 2 WHERE user_id = -1 AND ab_saved = 1 ]][[ DELETE FROM ab_eq_{FOO ='= BAR} WHERE ab_saved = 0 AND user_id = -1 ]][[ UPDATE mg_inv_{FOO ='= BAR} SET is_eq = 0 WHERE is_eq IN (1,2) AND user_id = -1 ]]
|
I've put {FOO ='= BAR} right where I can insert any string. These queries are run consecutively. There appears to be no way to run them individually or in any other order.
Any tips? | These can't all be in one query because MySQL prohibits joining queries of different types (aka you can't use DELETE in the same query you use SELECT and you can't use UPDATE in the same one you use INSERT). So the first to realize is that it has got to be a bunch of different queries. |
|
|
|
|
|
|
|
|
Posted: Fri Jan 23, 2009 10:54 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
If Mysql version is >= 4.1 with subqueries support, then you can use blind injection in UPDATE, DELETE, INSERT and other queries. |
|
|
|
|
|
Re: Tricky SQL attack vector- need a tip |
|
Posted: Sun Jan 25, 2009 7:23 pm |
|
|
spinsati |
Beginner |
|
|
Joined: Jan 23, 2009 |
Posts: 3 |
|
|
|
|
|
|
|
tehhunter wrote: | So the first to realize is that it has got to be a bunch of different queries. |
Yes, I realized that they're not one query, because the PHP mysql extension doesn't allow query stacking.
The interesting thing to note is that there is one input which gets placed in all the queries. So if I enter 'foo', then that value gets put in all the queries.
This programmer wanted to save some time by having dynamic table names, but he/she forgot to validate the input, thus I was able to discover the vulnerability.
Unfortunately, blind sql injection is tricky since I don't know: a.) the entire table schema, and b.) absolutely NO errors are output if any query fails.
I do know that this database also has phpBB tables, but again, I don't know if I can extend these queries enough to influence them. |
|
|
|
|
|
|
|
|
Posted: Sun Jan 25, 2009 8:26 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
As for missing feedback - use blind injection with BENCHMARK() or SLEEP(). And database schema can be guessed or in case of mysql ver. 5.x there is INFORMATION_SCHEMA |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|