All geek questions in one place

SQL injection in Java and MySQL when using multiple queries

I have a web application with SQL injection as part of an INSERT statement. It looks like this:

INSERT INTO table1 VALUES ('str1', 1, 'INJECTION HERE')

I can inject regular injections with multiple queries, such as ');truncate table1;--, but due to the fact that Java + MySQL is used, it does not allow stacking multiple queries, so the above injection will lead to an error from MySQL and the second query is never executed.

Thus, basically it seems that all that can be achieved from such an injection in the aforementioned architecture is an injection of "junk data", which is possible without injection.

There are more methods, such as using load_file(), but it still will not allow me to manipulate the database to the extent I am looking for.

Am I missing something? Is there any other way to use this injection to gain control of the database?

+2
source share
3 answers

Of course, if you change the database / driver combination with your current implementation to something that supports multiple requests, then you will activate a dormant security hole that (no doubt) people forgot about!

, .., .. ( /esaped ..). .

PreparedStatement (setString()) ..

:.

   PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES
                                     SET SALARY = ? WHERE ID = ?");
   pstmt.setBigDecimal(1, 153833.00)
   pstmt.setString(2, "Insert what you like here")

setString() /.

+2

SQL- - . , .

, ( MySQL, - - ):

INSERT INTO table1 VALUES ('str1', 1,
-- injected stuff --
'' || (SELECT valuable_info FROM admin_only_table WHERE id=1) || ''
-- end injected stuff --
))

table1 - , , - , - admin_only_table.

, , , SQL , .

+1

, , , DROP:

  • , ,

SQL. API.

0

Source: https://habr.com/ru/post/1774527/

More articles:


All Articles