0

In Software Assurance class I was asked a question why following query allows SQL injection which will allow log in into unsafe phpBB version but will not allow any modification of the database.

We prepared our VM's with PHP with disabled magic quotes to allow this kind of abuse. Otherwise, this would not work. We also have very old version of phpBB from 2005.

SELECT user_id, username, user_password, user_active, user_level,
user_login_tries, user_last_login_try
FROM USERS_TABLE
WHERE username = ’$username’ AND user_password = ’md5($password)’;

We can log into the phpBB site by using this command in login.php username field: admin'# or admin';--.

But when I try to insert an additional account to the database by following code I'm not able to add or modify any information in database: 

admin';INSERT INTO users_table(user_id,username,user_password)     
VALUES('100','user',.md5('pass'))#

Now, why am I NOT able to add/update/delete any accounts? I have a brief idea why, but I'm not 100% sure. I'm not asking how to make it work, but rather why this wouldn't work.

HelpNeeder
  • 263
  • 3
  • 8

1 Answers1

3

Is this MySQL specific? As others have noted in the comments, the standard MySQL extension in PHP does not support stacked queries. Stacked queries allow you to use semi-colons(';') to separate SQL statements in a single query. This type of functionality is only supported in the mysqli and PDO extensions of PHP.

From the PHP Documentation:

mysql_query() sends a unique query (multiple queries are not supported) to the currently active database on the server that's associated with the specified link_identifier.)

The documentation explicitly states that multiple queries are not supported, so fortunately (unfortunately?) only one statement can be executed at a time.

Also take a look at this question, as it seems to be similar to yours.

Community
  • 1
I'm A Person
  • 136
  • 5