Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Found 'OR 1=1/* sql injection in my newsletter database

Tags:

I found the following in the "e-mail" field of my newsletter subscriber database: ' OR 1=1/*

I know it's a SQL injection, but that's it. I've googled it a little bit, but I'm still on clear on what exactly it's trying to achieve. This occurred early Nov, and to my knowledge we had no outages around that time. Can any of you kind souls tell me what this guy was probably trying and do? Is there any way to know whether he achieved what he was trying to do?

I know virtually nothing about this and I'm worried. :(

like image 825
NotMuchOfAProgrammer Avatar asked Dec 13 '12 19:12

NotMuchOfAProgrammer


People also ask

What does or 1 =' 1 mean SQL injection?

SQL Injection Based on 1=1 is Always True UserId: Then, the SQL statement will look like this: SELECT * FROM Users WHERE UserId = 105 OR 1=1; The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.

Can SQL injection be traced?

Can SQL Injection be traced? Most SQL Injection Vulnerabilities and attacks can be reliably and swiftly traced through a number of credible SQL Injection tools or some web vulnerability scanner. SQL Injection detection is not such a trying task, but most developers make errors.

What are examples of SQL injection attacks?

Some common SQL injection examples include: Retrieving hidden data, where you can modify an SQL query to return additional results. Subverting application logic, where you can change a query to interfere with the application's logic. UNION attacks, where you can retrieve data from different database tables.


2 Answers

'OR 1=1 is an attempt to make a query succeed no matter what
The /* is an attempt to start a multiline comment so the rest of the query is ignored.

An example would be

SELECT userid  FROM users  WHERE username = ''OR 1=1/*'      AND password = ''     AND domain = '' 

As you can see if you were to populate the username field without escaping the ' no matter what credentials the user passes in the query would return all userids in the system likely granting access to the attacker (possibly admin access if admin is your first user). You will also notice the remainder of the query would be commented out because of the /* including the real '.

The fact that you can see the value in your database means that it was escaped and that particular attack did not succeed. However, you should investigate if any other attempts were made.

like image 86
Joe Avatar answered Sep 30 '22 22:09

Joe


It probably aimed to select all the informations in your table. If you use this kind of query (for example in PHP) :

mysql_query("SELECT * FROM newsletter WHERE email = '$email'"); 

The email ' OR 1=1/* will give this kind of query :

mysql_query("SELECT * FROM newsletter WHERE email = '' OR 1=1/*"); 

So it selects all the rows (because 1=1 is always true and the rest of the query is 'commented'). But it was not successful

  • if strings used in your queries are escaped
  • if you don't display all the queries results on a page...
like image 20
berty Avatar answered Sep 30 '22 23:09

berty