WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Chain based SQL injection

From: Владимир Воронцов <vladimir.vorontsov () onsec ru>
Date: Thu, 08 Apr 2010 23:23:36 +0400
Hello Bugtraq!
Hello Full-Disclosure!

The study of security web applications stumbled on the possibility of an
attack such as the introduction of SQL injection unusual way. 

All user data, which fall into the base with a query like INSERT filtered
using the mysql_real_escape_string(). 

However, under certain circumstances, data from the database were part of
another query to the database in which they no longer held the filtration. 

Thus, through mysql_real_escape_string() to write to the database string
types: 

'Union all select version() /* 

Which is already being part of another query, which does not directly
depend on the user data already played the role of the classic SQL
injection. 

As a result, the second request, which gave the performance of operators
was as follows: 

select mixvalue from datas where name like '%' union all select version
()/*%' 

To call such a thing could be as something like "a stored SQL injection",
but in view of connectivity requests me more like the version of the "chain
based SQL injection". 

Below give the example of vulnerable code.

<?php
$con = mysql_connect(“localhost”,”user”,”pass”);
if (!$con)
{
  die(‘Could not connect: ‘ . mysql_error());
}

mysql_select_db(“dbase”, $con);

if (strlen($_GET['name'])>2) {
  $r = mysql_query(“insert into sqli values(4,
‘”.mysql_real_escape_string($_GET['name']).”‘)”);
}

$result = mysql_query(“SELECT * FROM sqli”);

while($row = mysql_fetch_array($result))
{
  echo “< p/ >User < font color=’red’>”.$row['name'].”</ font>”;
  echo “< br />”;
  $curname=$row['name'];
  $r = mysql_query(“select mixtext from datas where mixtext like
‘%”.$curname.”%’”);
  echo “< br/>Associated data:”;
  while($row = mysql_fetch_array($r))
  {
    echo “< br/>——— “.$row['mixtext'];
  }
}

mysql_close($con);
?>

Original at russian language: http://oxod.ru/?p=97

-- 
Best regards, 
Vladimir Vorontsov
ONsec security expert



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: