8

Suppose I had a vulnerable query like this:

var q = 'SELECT x FROM y WHERE id = ' + req.body.id + ' ORDER BY date DESC;';

For the purposes of this question, req.body.id could be any integer parameter that isn't type-checked as everything over HTTP is a string.

Since the MySQL extension disables multi-statement queries by default, I can't do something like:

http://example.net/foo?id=1;INSERT INTO y VALUES (things...);--

Is it possible to execute a data manipulation statement (such as INSERT, UPDATE, DELETE) with this vulnerable query?

Improve this question
1
  • Not exactly a DDL, but you can do SELECT x FROM y WHERE id = sleep(10) and the connection will sleep for 10 seconds per row. Commented Jun 29, 2015 at 11:04

1 Answer 1

Reset to default
4

Injecting a stack-query statement is only possible if the target application is using the MySQL Multi-Query interface. The vast majority of SQL injection does not permit query stacking. Query stacking is useful, but you can access the database and even pop a shell without it. SQLMap can perform these attacks.

Query stacking is used more commonly in documentation about sql injection than in the real world. This is probably because it is easiest to explain sql injection using a query stacking demonstration.

Improve this answer
6
  • “The vast majority of SQL injection does not permit query stacking.” – Only if you assume the vast majority uses PHP+MySQL. Commented Oct 23, 2014 at 4:54
  • 1
    @Gumbo or oracle, or postgresl, or HSQLDB, or really anything other than MS-SQL and SQLite. I find Query stacking doesn't work in 90-95% of pentests. I don't do PHP/MySQL very often, the op is using MySQL. Commented Oct 23, 2014 at 17:22
  • 1
    @Gumbo I updated my answer to link to the C client bindings that permit multiple queries for MySQL. This is not PHP related. Commented Oct 23, 2014 at 17:27
  • 1
    So is it possible to perform insertions and deletions without query stacking? I can't seem to get any to work using a subquery but then again I'm by no means an expert Commented Oct 28, 2014 at 5:41
  • @Cory Carter If you are in a select, it is only a select. Subselect can be used to access other tables when injecting into a delete/update/insert. File IO should work within a select. Commented Oct 28, 2014 at 15:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.