WebApp Sec mailing list archives
Chain based SQL injection
From: Владимир Воронцов <vladimir.vorontsov () onsec ru>
Date: Thu, 08 Apr 2010 23:23:36 +0400
Hello Bugtraq! Hello Full-Disclosure! The study of security web applications stumbled on the possibility of an attack such as the introduction of SQL injection unusual way. All user data, which fall into the base with a query like INSERT filtered using the mysql_real_escape_string(). However, under certain circumstances, data from the database were part of another query to the database in which they no longer held the filtration. Thus, through mysql_real_escape_string() to write to the database string types: 'Union all select version() /* Which is already being part of another query, which does not directly depend on the user data already played the role of the classic SQL injection. As a result, the second request, which gave the performance of operators was as follows: select mixvalue from datas where name like '%' union all select version ()/*%' To call such a thing could be as something like "a stored SQL injection", but in view of connectivity requests me more like the version of the "chain based SQL injection". Below give the example of vulnerable code. <?php $con = mysql_connect(“localhost”,”user”,”pass”); if (!$con) { die(‘Could not connect: ‘ . mysql_error()); } mysql_select_db(“dbase”, $con); if (strlen($_GET['name'])>2) { $r = mysql_query(“insert into sqli values(4, ‘”.mysql_real_escape_string($_GET['name']).”‘)”); } $result = mysql_query(“SELECT * FROM sqli”); while($row = mysql_fetch_array($result)) { echo “< p/ >User < font color=’red’>”.$row['name'].”</ font>”; echo “< br />”; $curname=$row['name']; $r = mysql_query(“select mixtext from datas where mixtext like ‘%”.$curname.”%’”); echo “< br/>Associated data:”; while($row = mysql_fetch_array($r)) { echo “< br/>——— “.$row['mixtext']; } } mysql_close($con); ?> Original at russian language: http://oxod.ru/?p=97 -- Best regards, Vladimir Vorontsov ONsec security expert This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Chain based SQL injection Владимир Воронцов (Apr 09)