13

I used some vulnerability scanners to check a site of mine, and an instance of blind SQL injection was returned. However, when I try to exploit this vulnerability by entering the following into the address bar, nothing happens:

http://www.example.com/articles.php?id=-1' or 68 = '66; DROP ALL TABLES; --

I don't see why this isn't working. What is the correct text I must enter into the address bar to drop all the tables (and yes, I am testing this on a backup copy of the site)?

Luc
  • 31,973
  • 8
  • 71
  • 135
Pamela
  • 315
  • 1
  • 2
  • 7
  • 1
    PHP and MySQL? What [API](http://www.php.net/manual/en/mysqlinfo.api.choosing.php) do you use? – Gumbo Apr 07 '13 at 16:18
  • @Gumbo, sorry, yes PHP and MySQL with mysqli. – Pamela Apr 07 '13 at 16:39
  • 2
    Well, in case you use `mysqli_query`, you’re probably not allowed to execute [multiple statements](http://www.php.net/manual/en/mysqli.quickstart.multiple-statement.php) at once. You would need `mysqli_multi_query` instead. – Gumbo Apr 07 '13 at 16:44

2 Answers2

19

The vast majority of web applications do not allow query stacking. With PHP/MySQL application can allow for query stacking if you use the mysqli::multi_query()or mysqli_multi_query() functions.

You can exploit these systems using sub-select, union-selects, blind sql injection, into outfile, or loadfile(). SQLMap and Havij are both tools that automate the exploitation of SQL Injection. SQLMap is a great tool with a wide range of features, and supports a wide verity of injections and DBMS'es.

rook
  • 46,916
  • 10
  • 92
  • 181
  • 1
    I'm also rather fond of the tool 'Havij' which is quite simply 'Aim and Fire' in most cases – NULLZ Apr 11 '13 at 14:51
0

If the site does not use apostrophes (') you can try this:

http://www.example.com/articles.php?id=-1; DROP ALL TABLES; --
Luc
  • 31,973
  • 8
  • 71
  • 135
Nicola
  • 181
  • 3