All geek questions in one place

How to demonstrate second-order SQL injection?

So, I tried to replicate second-order SQL Injection. Here is an example template of two php sites that I prepared. Let me just call it the voter registration form. The user can register, and then you can check whether you are a registered voter or not.

insert.php

<?php $db_selected = mysql_select_db('canada',$conn); if (!db_selected) die("can't use mysql: ". mysql_error()); $sql_statement = "INSERT into canada (UserID,FirstName,LastName,Age,State,Town) values ('".mysql_real_escape_string($_REQUEST["UserID"])."', '".mysql_real_escape_string($_REQUEST["FirstName"])."', '".mysql_real_escape_string($_REQUEST["LastName"])."', ".intval($_REQUEST["Age"]).", '".mysql_real_escape_string($_REQUEST["State"])."', '".mysql_real_escape_string($_REQUEST["Town"])."')"; echo "You ran the sql query=".$sql_statement."<br/>"; $qry = mysql_query($sql_statement,$conn) || die (mysql_error()); mysql_close($conn); Echo "Data inserted successfully"; } ?>

select.php

 <?php $db_selected = mysql_select_db('canada', $conn); if(!db_selected) die('Can\'t use mysql:' . mysql_error()); $sql = "SELECT * FROM canada WHERE UserID='".addslashes($_POST["UserID"])."'"; echo "You ran the sql query=".$sql."<br/>"; $result = mysql_query($sql,$conn); $row=mysql_fetch_row($result); $sql1 = "SELECT * FROM canada WHERE FirstName = '".$row[1]."'"; echo "The web application ran the sql query internally=" .$sql1. "<br/>"; $result1 = mysql_query($sql1, $conn); $row1 = mysql_fetch_row($result1); mysql_close($conn); echo "<br><b><center>Database Output</center></b><br><br>"; echo "<br>$row1[1] $row1[2] , you are a voter! <br>"; echo "<b>VoterID: $row[0]</b><br>First Name: $row[1]<br>Last Name: $row[2] <br>Age: $row[3]<br>Town: $row[4]<br>State: $row[5]<br><hr><br>"; } ?>

Thus, I intentionally made it vulnerable to show how second-order SQL Injection works, the user can enter the code in the first-name section (where I was stuck right now, I tried many different ways, but it seems like I can do nothing). Then, when a person wants to activate the code that he inserted in the first section of the name, all he needs to do is just enter the user ID and the code will be inserted.

For example: I type in the insert.php page as follows: userid = 17

firstname = (I need to insert something)

lastname = ..

age = ..

City = ..

state = ..

Then, when I check my data and type 17, an SQL script will be introduced. Can I get some examples of what vulnerabilities I can show through this?

+4
source share
2 answers

Using the first name:

 ' OR 1 OR '

This will create a where clause in the second SQL

WHERE FirstName = '' OR 1 OR ''

Therefore, the result will be the first record in the table.

By adding a LIMIT clause, you can extract all the rows from the table:

'OR 1 ORDER BY UserID ASC LIMIT 0, 1 -

Obviously, it will only retrieve one row at a time, so you will need to repeat this and increase 0 in LIMIT. This example uses a comment -- to abort the remaining SQL, which would otherwise run the query, because it would add one quote after your LIMIT.

The above example - a more complex attack would be to use a UNION SELECT, which will give you access to the entire database using information_schema.

You also use addslashes() in one of your queries. This is not as safe as mysql_real_escape_string() and in turn: escaping quotes with or is not as safe as using prepared statements or parameterized queries, for example, in PDO or MySQLi.

+3
source

What needs to be demonstrated?

Second-order SQL injection is nothing more than SQL injection, but unsafe code is not the first line.

So, to demonstrate:

1) Create an SQL input line that will do something unwanted when executed without escaping.

2) Store this string safely in your database (with escaping).

3) Let some other part of your FETCH code have this line and use it elsewhere without escaping.

EDIT: added sample code:

Table:

 CREATE TABLE tblUsers ( userId serial PRIMARY KEY, firstName TEXT )

Suppose you have some kind of SAFE code, for example, getting the first name from a form:

 $firstname = someEscapeFunction($_POST["firstname"]); $SQL = "INSERT INTO tblUsers (firstname) VALUES ('{$firstname }');"; someConnection->execute($SQL);

So far, so good, assuming someEscapeFunction () does an excellent job. Unable to add SQL.

If I sent the following line as the value for firstname, you would not mind:

blah '); REMOVE FROM tblUsers; //

Now suppose that someone from one system wants to transfer the firstName from tblUsers to tblWhatever, and does it like this:

 $userid = 42; $SQL = "SELECT firstname FROM tblUsers WHERE (userId={$userid})"; $RS = con->fetchAll($SQL); $firstName = $RS[0]["firstName"];

And then inserts it into tbl, in any case, without escaping:

 $SQL = "INSERT INTO tblWhatever (firstName) VALUES ('{$firstName}');";

Now, if firstname contains some deleteecommand file, it will still be executed.

+3
source

Source: https://habr.com/ru/post/1440497/

More articles:


All Articles