3

I'm trying to inject basic query but I think I'm missing how to comment the end of those query.

I tough using # or --' would work but I'm still ending with those kind of error:

Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TABLE user ;--' ORDER BY c2_.creationDate DESC' at line 1

So what is the proper way of bypassing those security?

What am I doing wrong when I wrote:

http://esgi-3.futest.com/subject/12%20UNION%20SELECT%20*%20FROM%20TABLE%20user%20;--'

And this is the whole error I get :

An exception occurred while executing 'SELECT s0_.text AS text, s0_.creationDate AS creationDate, s0_.private AS private, u1_.firstName AS firstName, u1_.lastName AS lastName, s0_.user AS user, c2_.userId AS userId24, c2_.subjectId AS subjectId25 FROM subject s0_ INNER JOIN user u1_ ON s0_.user = u1_.id LEFT JOIN comment c2_ ON s0_.id = c2_.subjectId LEFT JOIN user u3_ ON c2_.userId = u3_.id WHERE s0_.id = 12 UNION SELECT * FROM TABLE user ;--' ORDER BY c2_.creationDate DESC': SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TABLE user ;--' ORDER BY c2_.creationDate DESC' at line 1

Baldráni
  • 133
  • 1
  • 7
  • Hard to tell without knowing the structure of the query you're trying to inject into - imagine if it was `SELECT * FROM articles WHERE $1` (for a really poor, but short, example). You'd now have `SELECT * FROM articles WHERE UNION SELECT * FROM TABLE user;--` which would be a syntax error. – Matthew Feb 13 '17 at 10:27
  • @Matthew the 12 as first arguments is actually where `id = 12` and work well without the `UNION...` I edit my post to show you the whole error. – Baldráni Feb 13 '17 at 10:29

2 Answers2

4

There are multiple errors here:

  • The syntax of a select statement is SELECT [COLUMNS] FROM [TABLE], but you are writing SELECT [COLUMNS] FROM TABLE [TABLE].
  • You are injection a ;, but that is not required or valid for most APIs.
  • While you can use * in a union select, it is highly unlikely that both tables have the same amount of columns, so it will likely not work.
  • You are correct that you cannot just use --, but have to append an actual comment. However, I wouldn't use '. It is likely valid, but it may be filtered, etc. Either use # or append a different string, eg -- -, -- foobar etc.

Giving this, this should work:

1 union select 1,2,3 from user -- -

The column count is likely wrong and needs to be adjusted by you.

tim
  • 29,018
  • 7
  • 95
  • 119
  • Technically, you just need a space after the `--`, but some APIs and servers will "helpfully" strip trailing spaces, so using an actual comment is good advice – Matthew Feb 13 '17 at 10:44
  • Okay, this is working ! Just a quick further question. So I found out that `1,2,3,4,5,6,7,8 ` was the right cardinality. But how can I extract specific data? Shall I try to change each arguments with random (but possible value like password, name ...?) Is there a way of 'UNION DESCRIBE USER' ? – Baldráni Feb 13 '17 at 10:53
  • 1
    @Baldráni You should only replace those that are actually given back to you (they will be shown in the source code and possibly displayed on the site). My guess would be 1,4, and 5. Then you replace those with the actual column name from the union'ed table you want to retrieve. You can either guess those names, or extract them from information_schema. – tim Feb 13 '17 at 11:10
  • In JDBC using a `;` is effectively not valid. – Walfrat Feb 13 '17 at 12:16
1

For those who googled this up,

The official requirement is to only have a space or a control character after the -- sequence. Consider:

UPDATE account SET credit=credit--1

If it wasn't for the space requirement, the statement would end up being

UPDATE account SET credit=credit

To avoid trailing space truncation, @tim's answer has an extra dash (-- -) in there, but could be any character, or even --+ and has nothing to do with the so-called second dash from 9.6 Comment Syntax where it says

In MySQL, the -- (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character

Which simply refers to the last dash of the original -- sequence. May be confusing at first.

To sum it up, the bare minimum is -- with just a control character (such as a space, tab, newline, and so on).

mehov
  • 421
  • 4
  • 9