In which web language can I execute multiple queries with SQL injection?

2018-06-05 06:44:53

I'm doing a college work about web vulnerabilities, and I need to demonstrate in practice some of those vulnerabilities, especially SQL injection. I developed two applications, one in PHP, and one in JSP, but none of those accepts multiple queries, and I need to execute a DROP TABLE from a SQL injection script.

So I already know that mysql_query() escapes multiple queries, and Statement.execute() too, I haven't tried yet with ASP.NET. But is ASP.NET the only web language that allows that in the simplest query syntax? Like mysql_query() is PHP simplest syntax, and st.execute() is JSP's simplest syntax, that means that a lot of web applications uses this syntax.

JSP

String query = "SELECT * from user; DROP TABLE user;-- ";
st = con.createStatement();
st.execute(query);

PHP

mysql_query("SELECT * from user; DROP TABLE user;-- ");

Edit: I was not very clear, I'm making a vulnerable login application, and I need to DROP a table with a SQL injection, like in a query:

"SELECT * FROM user where user ='".$_POST['user']."' AND pass = md5('".$_POST['pass']."')";

I pass in the user field '; DROP TABLE user; -- ', my question is, which web language allows me to do that without using specific functions like mysqli_multi_query() ?

Another possibility would be that you could try some roundabout way. Such as having PHP call up a shellexec() and run all the SQL statements through the MySQL console command line via PHP. I am not even sure this can be done, given the interactive nature of the command line here.

Unfortunately it won't really be a way that you can say is common to be used. It seems like all the input suggests that it just can't be done directly these days. At least not the multi-query injection limitation. But that doesn't mean that there are not other SQL injection attacks that can happen.

The one thing that I can think of is using comments or sub-query. With comments you would have to spend a lot of time crafting a solution whereby you add a "--" to the end of your injected SQL to close out the rest of the SQL statement. This would be problematic if there are any line breaks after where your code goes. But using sub-queries seems more possible.

For sub-queries what you would do is probably inject into a search query a value that goes into a WHERE clause.

Example...

Start with this query:

SELECT * FROM students WHERE first_name = 'bobby'; -- Bobby being an unsanitized value.

Becomes:

SELECT * FROM students WHERE first_name = 'bobby' AND (DELETE FROM students WHERE student_id > 0) = true AND '' = '';

In my second example I injected this:

' AND (DELETE FROM students WHERE student_id > 0) = true AND '' = '

Which utilizes the sub-query method to inject an action statement. Check out the page on the SQL standards: http://www.w3resource.com/sql/subqueries/understanding-sql-subqueries.php

This isn't a language limitation by any stretch. Any server-side language for the web can execute multiple queries (I do it all the time). But your question doesn't really make a lot of sense. Are you wanting to pass it a massive SQL file to do a bunch of operations? Or are you wanting to do data/event specific operations such as your basic CRUD functions (Create, Read, Update, Delete)?

All the syntax will be simple. But if you really want to obfuscate it to simplify it further then use an ORM, such as the Eloquent system that comes with the Laravel framework.

Though honestly, I think you just need to spend a bunch of time learning SQL and the web language of your preference. I will say this, PHP is where the vast majority of web development happens. Lots of resources on it.

Edit: Being that you are truly set on running multiple queries from the same call you can use the function described here: http://raamdev.com/2008/multiple-query-problems-with-mysql_query/

AKA: mysqli::multi_query - http://www.php.net/manual/en/mysqli.multi-query.php

It is actually strange that you cannot SQL Inject your own vulnerable code with the 'DROP TABLE method.

I would try using mysqli functions, including the multi-query one, that should be mysqli_multi_query()

Please notice that PHP support for mysqli has been introduced in PHP 5.

EDIT: Just read your comments about being aware of this function. I think this is the simplest way though.

链接地址: http://www.djcxy.com/p/16806.html

上一篇: 你最喜欢的Mootools / Prototype原生对象原型是什么？

下一篇: 我可以使用SQL注入执行多种查询的Web语言？