SQL Injection after Like Operator with continuing query

Question

is it possible to add a new query like update in between this?:

SELECT characters.id as charId
FROM characters
WHERE characters.name 
LIKE '%<User-Input-Here>%'
ORDER BY `level` DESC, exp DESC
LIMIT 10
OFFSET 0

I found out that union is a vunerability here:
User Input: ' union select count(characters.id) FROM characters -- '
Result:

SELECT characters.id
FROM characters  
WHERE characters.name 
LIKE '%' union select count(characters.id) FROM characters -- '%'
ORDER BY `level` DESC, exp DESC 
LIMIT 10 
OFFSET 0

But my question now:
Is it somehow possible to add a complete new query?
I already tried something like:

'; UPDATE characters SET characters.name = 'foo' -- '

Which becomes following:

SELECT characters.id
FROM characters
WHERE characters.name 
LIKE '%'; UPDATE characters SET characters.name = 'foo' -- '%'
ORDER BY `level` DESC, exp DESC 
LIMIT 10 
OFFSET 0

I recieve this error message:

check the manual that corresponds to your MySQL server version for the right 
syntax to use near 
'update characters set characters.name = 'foo' -- 
'%'\n\nORDER BY `level` DESC, exp' at line 15",

I have a feeling that semicolons dont work in this case. If so, why wouldn't they and is there a alternative/workaround?

score 2 · Accepted Answer · answered Mar 14 '19 at 01:07

MySQL does not normally allow multiple statements per call, so you can't do this type of injection. The error you're seeing is because of this. The application has to explicitly enable multiple statements per call, which is done differently on a per-language basis. For example, PHP has mysqli_multi_query, whereas the C binding requires you to pass CLIENT_MULTI_STATEMENTS to mysql_real_connect and then query calls can have multiple statements in them.

Whereas other RDBMS products (e.g. MSSQL) support a SELECT ... INTO syntax that may allow you to inject an INTO clause onto the end of a SELECT and use it to add new rows to another table, MySQL does not support this synax. Instead you have to specify INSERT INTO at the start, so it isn't possible to inject an INTO clause in this fasion.

Thanks for the answer! I thought about something like this. So if there's no way to add multiple queries, is it somehow possible to add a update/insert clause within the select query? Like ` union update ` which I know doesnt exist. — , Mar 14 '19 at 12:24

SQL Injection after Like Operator with continuing query

1 Answers1