5

Is it possible to update a field in a MySQL database or insert a new row using SQL injection in this case:

  1. The only protection in the PHP code is mysql_real_escape_string().
  2. The query is constructed in double quotes: "select id from db where id = $id" not single string literal quotes.
  3. The database is mysql (using mysql_query php call) so I don't think stacked queries is possible (correct me if I'm wrong).
  4. Using mysql not mysqli.

I've tried using something like 1; update users set first_name = foo with no luck and tried passing in commas ' in hex and octal format with no luck: chr(0x27)char(0x27)chr(047)ascii tables.

Is it possible to actually update or insert under these conditions?

Improve this question
3
  • 1
    @Rook so what are the alternatives for updating or inserting data?
    – Crizly
    CommentedNov 11, 2014 at 17:43
  • Point 2 is irrelevant. It is only the quoting within the query that can affect SQLi, not how it is represented in PHP.
    – SilverlightFox
    CommentedNov 11, 2014 at 22:34
  • @SilverlightFox if it was "select id from db where id = '$id'" that would make it more difficult, no?
    – Crizly
    CommentedNov 11, 2014 at 23:25

2 Answers 2

Reset to default
4

Query stacking, ie select * from tbl; update ... -- is forbidden by most database management systems. In order to enable query stacking in PHP/MySQL, the application must use the mysql_mutli_query() function to execute the query. This function is uncommon in the wild.

In SQL injection without query stacking, the attacker is limited by accessible query operators, and SQL functions. The tool SQLMap allows an attacker to access functionality exposed by SQL injection with an easy to use shell. The example sql injection vulnerability provided maybe blind sql injection, which can be exploited with SQLMap.

In MySQL, an attacker can append a union select to access other tables:

select id from db where id = 1 union select password from users

or a sub-select:

select id from db where id = (select password from users)

Additionally an attacker could read file using the load_file() function:

select from db where id = load_file('/etc/passwd')

Only select statements can use the into outfile query operator:

select from db where id = 1 union select password from users into outfile '/var/www/backup.txt'

The into outfile operator requires the use of single-quotes and cannot be used in a SQL injection exploit when mysql_real_escape_string() is used.

The paper Hackproofing MySQL is still relevant, and covers these attacks, and more.

Improve this answer
0
    2

    It may be possible using select into SELECT id FROM table1 WHERE id = 1 INTO table2 However as the attacker does not directly control the id value the attacker would need another method of controlling this data for the attack to be able to have a meaningful impact.

    Improve this answer
    4
    • I'm reading about this at the moment, do you happen to know any methods of controlling the data?
      – Crizly
      CommentedNov 12, 2014 at 14:04
    • 1
      "MySQL Server doesn't support the SELECT ... INTO TABLE Sybase SQL extension. Instead, MySQL Server supports the INSERT INTO ... SELECT". The into table query operator cannot be in the OP's injection.
      – rook
      CommentedNov 12, 2014 at 15:28
    • While true for this specific example (and clearly documented in the referenced link) I feel it would be an oversight not to mention it so if a MSSQL user reads this they don't walk away thinking they are safe.
      – wireghoul
      CommentedNov 13, 2014 at 22:32
    • @Crizly control of the data and the impact it could have would be application specific.
      – wireghoul
      CommentedNov 19, 2014 at 22:12

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.