I'm learning SQL injection and I built a web application(PHP + MYSQL(5.6)) without protection of SQL injection.
In brief, my web application use
SELECT * FROM XXX.USER WHERE user_name='${USERNAME}' AND password='${PASSWORD}'
to handle login(if that sql returns only 1 row, then login succeed).
At the beginning, I found input USERNAME Sayakiss' --
then my SQL:
SELECT * FROM XXX.USER WHERE user_name='Sayakiss' -- ' AND password='${PASSWORD}'
By that way, attacker can login as Sayakiss
without password.
Then I find something more interesting(select
clause can be in if
function) -- attacker input USERNAME as
Sayakiss' and if((select ascii(mid(z,p,1)) from x.y limit n,1)=c,1,0) --
This can check character the ascii of the character of p
position of n
-th row of the column z
of table x.y
equals c
or not.
If attacker login succeed, then he knows the ascii of the character equals c
.
So attacker can get everything of my database by a enumeration!
Now I wonder, how to (if it's possible) execute a update query to write database by a similar way?
I believe so, that a attacker can make an update, probably will be needing names of table and fields to run it correctly.
I think the query would be something like'Sayakiss'; UPDATE table_name SET field1=new-value1, field2=new-value2
WHERE user_name='Sayakiss'; --
Relevant and
Some more
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With