December 23rd, 2004, 08:18 PM
SQL injection help
I'm testing an application writen in PHP to see if it is vulnerable to SQL injections. There is a GET query in which I put hi' to check if its vulnerable. What I get is an error:
"DB Error: Bad SQL Query: SELECT cat_id, cat_name, cat_parent_id, cat_hits, cat_order, auth_viewcat, auth_viewimage, auth_sendpostcard FROM 4images_categories WHERE cat_name LIKE '%hi'%' ORDER BY cat_order DESC ;
You have an error in your SQL syntax near '' ORDER BY cat_order DESC ' at line 3"
Now I'm not expert in mySQL, but then again I'm not bad either, but this is a pretty complex query for me. I notice that it encapsulates the query in '%....%', could this potentially be a problem?
I also noticed that whatever I put in, (even -- after the qeury, which would make it not execute the rest) doesnt work, could there be some independant function which checks the query?
December 23rd, 2004, 08:36 PM
the LIKE part in the query is kinda like a WHERE only with a diffrent searchpatern. The % signs are also known as wildcards, a way to control the way matching data is found, as can be read here http://www.1keydata.com/sql/sqllike.html
you might also wanna check this pdf
The Stranger: Do you have to use so many cuss words?
The Dude: What the **** you talking about?
December 23rd, 2004, 08:46 PM
Thanks for the links, so in theory if my input is
hi%'-- it should do the same as entering hi on its own, but this is not the case, as I still get a syntax error Could it be that an independat function is chcking it, because the error message does not look standard (different colors are used, etc)? Any other ideas guys?
December 23rd, 2004, 08:47 PM
For SQL injection, make sure you are doing input validation.
About your query, make sure you use double and single quotes.
I usually test my query in mysql using echo and then test in web application.
December 23rd, 2004, 08:52 PM
Thanks for replying, but I have a few questions:
what do you mean with using single and double quotes (i know what they are but where should each be used?)?
December 23rd, 2004, 09:03 PM
I can see you have 3 quotes in your query(always end with pairs, right), and it indicated synax error, using echo to see what is the exact reture queery string, maybe try escape character.
There are several ways to include quotes within a string:
A `'' inside a string quoted with `'' may be written as `'''.
A `"' inside a string quoted with `"' may be written as `""'.
You can precede the quote character with an escape character (`\').
A `'' inside a string quoted with `"' needs no special treatment and need not be doubled or escaped. In the same way, `"' inside a string quoted with `'' needs no special treatment.
SQL injection, by my understanding, it's using bla' or 1=1-- to make a always true statement, you can test by using that string.
Sorry for my bad English, not my mother tongue.
December 23rd, 2004, 09:16 PM
Do you have the source php for us? It's much more practical to look at the source and then start testing.
December 23rd, 2004, 10:13 PM
Silly question.... I don't have SQL servers open to the public so I'm not really up on it.....
If that is the error response that is provided publicly isn't that a security breach in itself? In my reading it seems that the "standard" is to give a "nothing" error such as "The query cannot be completed" rather than dump the entire table structure for the attacker to see. It's my recollection that they use these verbose errors to enumerate the table structures themselves.....
... or am I wrong here?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides