SQL injection help
Results 1 to 8 of 8

Thread: SQL injection help

  1. #1
    Junior Member
    Join Date
    Nov 2004
    Posts
    11

    SQL injection help

    Hi,

    I'm testing an application writen in PHP to see if it is vulnerable to SQL injections. There is a GET query in which I put hi' to check if its vulnerable. What I get is an error:
    "DB Error: Bad SQL Query: SELECT cat_id, cat_name, cat_parent_id, cat_hits, cat_order, auth_viewcat, auth_viewimage, auth_sendpostcard FROM 4images_categories WHERE cat_name LIKE '%hi'%' ORDER BY cat_order DESC ;
    You have an error in your SQL syntax near '' ORDER BY cat_order DESC ' at line 3"
    Now I'm not expert in mySQL, but then again I'm not bad either, but this is a pretty complex query for me. I notice that it encapsulates the query in '%....%', could this potentially be a problem?
    I also noticed that whatever I put in, (even -- after the qeury, which would make it not execute the rest) doesnt work, could there be some independant function which checks the query?

    Any ideas?

    Thanks

  2. #2
    Junior Member
    Join Date
    Nov 2002
    Posts
    12
    the LIKE part in the query is kinda like a WHERE only with a diffrent searchpatern. The % signs are also known as wildcards, a way to control the way matching data is found, as can be read here http://www.1keydata.com/sql/sqllike.html

    you might also wanna check this pdf

    http://www.spidynamics.com/papers/SQ...WhitePaper.pdf

    chapter 3.2.5
    The Stranger: Do you have to use so many cuss words?
    The Dude: What the **** you talking about?

  3. #3
    Junior Member
    Join Date
    Nov 2004
    Posts
    11
    Thanks for the links, so in theory if my input is
    hi%'-- it should do the same as entering hi on its own, but this is not the case, as I still get a syntax error Could it be that an independat function is chcking it, because the error message does not look standard (different colors are used, etc)? Any other ideas guys?

  4. #4
    Member
    Join Date
    Dec 2003
    Posts
    39
    For SQL injection, make sure you are doing input validation.

    About your query, make sure you use double and single quotes.

    I usually test my query in mysql using echo and then test in web application.
    万千世界多奇妙,浩瀚宇宙十万问。
    孤独客离君去,欲伴归乡中国

  5. #5
    Junior Member
    Join Date
    Nov 2004
    Posts
    11
    Thanks for replying, but I have a few questions:
    what do you mean with using single and double quotes (i know what they are but where should each be used?)?

  6. #6
    Member
    Join Date
    Dec 2003
    Posts
    39
    I can see you have 3 quotes in your query(always end with pairs, right), and it indicated synax error, using echo to see what is the exact reture queery string, maybe try escape character.

    There are several ways to include quotes within a string:

    A `'' inside a string quoted with `'' may be written as `'''.
    A `"' inside a string quoted with `"' may be written as `""'.
    You can precede the quote character with an escape character (`\').
    A `'' inside a string quoted with `"' needs no special treatment and need not be doubled or escaped. In the same way, `"' inside a string quoted with `'' needs no special treatment.

    SQL injection, by my understanding, it's using bla' or 1=1-- to make a always true statement, you can test by using that string.

    Sorry for my bad English, not my mother tongue.
    万千世界多奇妙,浩瀚宇宙十万问。
    孤独客离君去,欲伴归乡中国

  7. #7
    Do you have the source php for us? It's much more practical to look at the source and then start testing.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Silly question.... I don't have SQL servers open to the public so I'm not really up on it.....

    If that is the error response that is provided publicly isn't that a security breach in itself? In my reading it seems that the "standard" is to give a "nothing" error such as "The query cannot be completed" rather than dump the entire table structure for the attacker to see. It's my recollection that they use these verbose errors to enumerate the table structures themselves.....

    ... or am I wrong here?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •