8

Suppose I had a vulnerable query like this:

var q = 'SELECT x FROM y WHERE id = ' + req.body.id + ' ORDER BY date DESC;';

For the purposes of this question, req.body.id could be any integer parameter that isn't type-checked as everything over HTTP is a string.

Since the MySQL extension disables multi-statement queries by default, I can't do something like:

http://example.net/foo?id=1;INSERT INTO y VALUES (things...);--

Is it possible to execute a data manipulation statement (such as INSERT, UPDATE, DELETE) with this vulnerable query?

Cory Carter
  • 83
  • 1
  • 3
  • Not exactly a DDL, but you can do `SELECT x FROM y WHERE id = sleep(10)` and the connection will sleep for 10 seconds **per row**. – Pacerier Jun 29 '15 at 11:04

1 Answers1

4

Injecting a stack-query statement is only possible if the target application is using the MySQL Multi-Query interface. The vast majority of SQL injection does not permit query stacking. Query stacking is useful, but you can access the database and even pop a shell without it. SQLMap can perform these attacks.

Query stacking is used more commonly in documentation about sql injection than in the real world. This is probably because it is easiest to explain sql injection using a query stacking demonstration.

rook
  • 46,916
  • 10
  • 92
  • 181
  • “The vast majority of SQL injection does not permit query stacking.” – Only if you assume the vast majority uses PHP+MySQL. – Gumbo Oct 23 '14 at 04:54
  • 1
    @Gumbo or oracle, or postgresl, or HSQLDB, or really anything other than MS-SQL and SQLite. I find Query stacking doesn't work in 90-95% of pentests. I don't do PHP/MySQL very often, the op is using MySQL. – rook Oct 23 '14 at 17:22
  • 1
    @Gumbo I updated my answer to link to the C client bindings that permit multiple queries for MySQL. This is not PHP related. – rook Oct 23 '14 at 17:27
  • 1
    So is it possible to perform insertions and deletions without query stacking? I can't seem to get any to work using a subquery but then again I'm by no means an expert – Cory Carter Oct 28 '14 at 05:41
  • @Cory Carter If you are in a select, it is only a select. Subselect can be used to access other tables when injecting into a delete/update/insert. File IO should work within a select. – rook Oct 28 '14 at 15:43
  • @rook, You stated that it's possible to pop a shell. That doesn't seem possible. What would we replace `req.body.id` with to open a shell? – Pacerier Jun 29 '15 at 10:40