SQL injection - is this possible?

Discuss the many weaknesses of browser security and ways to mitigate the threat

SQL injection - is this possible?

Post by invisibtch on Wed Jul 28, 2010 3:28 pm
([msg=42901]see SQL injection - is this possible?[/msg])

Hi there.

So. There is a website with php and mysql. It is injectable, but not perfectly, or I don't know how.
Example to reproduce the problem:

Url: http:/ /site.com/?param1=6') -- a&param2=5
Param1 is used in this context:
Code: Select all
$sql_count = mysql_query('SELECT COUNT(*) AS cnt FROM table WHERE (... AND id=' . $param1 . ')');
$sq_result = mysql_query('SELECT a, b, c FROM table WHERE (... AND id=' . $param1 . ')');


If you try to inject it (for example with union poisoning) you'll be fail, because it always die's with
error (union param num doesn't match). So you can't get any information.
Is there a was to get thru this? I don't know any injection method which can do things like:
IF cnt THEN union all select 1 ELSE union all select 1,2,3 ENDIF
(It is one of my really old website where I found this, I don't care about blackhat hacking, it is just interesting problem to me)

PS: sorry for my english. :oops:
invisibtch
New User
New User
 
Posts: 1
Joined: Sun Jul 25, 2010 11:20 am
Blog: View Blog (0)


Re: SQL injection - is this possible?

Post by smaule on Thu Jul 29, 2010 5:33 pm
([msg=42949]see Re: SQL injection - is this possible?[/msg])

The only way I can think of is to use "INTO OUTFILE" in the first query, then a file will be created with the output and one can retrieve information.
This, of course, requires the mysql root user, and write permissions.
smaule
New User
New User
 
Posts: 1
Joined: Thu Jul 29, 2010 5:55 am
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests