.

SQL Injection into an INSERT statement.

<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Sun May 12, 2013 8:50 pm

SQL Injection into an INSERT statement.

Hi all,

I'm having trouble making SQL injection work with an INSERT statement and I'm not sure what I'm doing wrong. The PHP code for the SQL request looks like this:

mysql_query("INSERT INTO txtcomment (id,comment) VALUES ('" . $_POST['id'] . "','" . $_POST['comment']. "')")

Whenever I try to insert into the comment field, it doesn't seem to work. If I attempt to insert into the ID field, it gives me the error "ERROR: Data truncated for column "id" at row 1". It does that even if I just add a ' to the id parameter. If I put a character other than a number into the ID field, I get the error "ERROR: Out of range value adjusted for column "id" at row 1".

When I attempt in the comment field, my whole query goes into the database, special characters and all. There doesn't seem to be any escaping done in the PHP code, so I can't tell why I can't get it to work.
Any obvious mistakes I'm making?
<<

notsosecure

User avatar

Newbie
Newbie

Posts: 12

Joined: Thu Apr 21, 2011 5:13 pm

Post Mon May 13, 2013 4:48 am

Re: SQL Injection into an INSERT statement.

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon May 13, 2013 7:10 am

Re: SQL Injection into an INSERT statement.

Hi eyenit0,

Is your 'id' column of type Integer? If it's the case, your problem is your single quotes.

Change from (having single quotes around the 'id' column)
  Code:
INSERT INTO txtcomment (id,comment) VALUES ('" . $_POST['id'] . "','" . $_POST['comment']. "')


to (no single quotes)
  Code:
INSERT INTO txtcomment (id,comment) VALUES (" . $_POST['id'] . ",'" . $_POST['comment']. "')


You only put single quotes around CHAR, VARCHAR and DATE data types...
Let me know if it works!
Last edited by caissyd on Mon May 13, 2013 7:13 am, edited 1 time in total.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Mon May 13, 2013 9:37 am

Re: SQL Injection into an INSERT statement.

Thanks for the info, guys. I'm gonna look into it this morning and I'll post back with the outcome. The ID parameter is an integer, so I don't know why quotes are around it, but it's not my code. I'll try changing the code and testing it to see the results, but I'd also like to get it working with how the code is now, if that's even possible.
Either way, I'm gonna go at it a few more times this morning and see what I can find.
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Mon May 13, 2013 10:56 am

Re: SQL Injection into an INSERT statement.

Still no luck. I removed the quotes from the ID parameter in the PHP code to test and was able to use some true/false statements to verify that I could inject, but as soon as I add the singe quotes back into the code, it's no go.

Any time I provide anything other than an integer in the ID field, I get the "Data truncated" error. If I try to inject anything into the comment field, it gets put into the DB exactly as I typed it. I don't see any escaping in the code, but can't figure out why it won't work with the single quotes on that field.


On a similar note, is it possible to inject into a query that gets provided to the mysql_num_rows function? I haven't been able to get it working. I have some code like this and am wondering it's exploitable as well:
$query=mysql_query("SELECT *  FROM products WHERE id=" . $id);
$number = mysql_num_rows($query);


Thanks for the help
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed May 15, 2013 7:27 am

Re: SQL Injection into an INSERT statement.

You know what eyenit0, I suggest you start MySQL Workbench (free!) and try to directly write SQL code there first (without going through PHP code). This way, you will be able to test SQL without the PHP layer.

For example, start with something like this:
  Code:
INSERT INTO txtcomment (id,comment) VALUES (10, '<A comment>');


Then replace the <A comment> (but leave the single quotes there) with what you would normally use for SQL injection. For example:
  Code:
-- Deleting the row containing the username 'bob' from the user table
-- Code to do this is: DELETE FROM user WHERE username='bob'
-- So the injection code would be: comment'); DELETE FROM user WHERE username='bob'; --
-- Note: There is a space at the very end of the SQL injection code!!!
INSERT INTO txtcomment (id,comment) VALUES (10, 'comment'); DELETE FROM user WHERE username='bob'; -- ');


As you can see:
  Code:
comment'); DELETE FROM user WHERE username='bob'; --
Would be your SQLi code (including the space at the end)

Then, once it works in SQL Workbench, try to do the same thing through PHP. MySQL will often give you more meaningful error messages and you don't have to worry about PHP...

Does this make sense?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Wed May 15, 2013 3:21 pm

Re: SQL Injection into an INSERT statement.

Total sense. I should have done that earlier! That helped, along with turning on logging in MySQL to see the queries.

Unfortunately, I realized that magic_quotes is on in PHP(I thought I checked that earlier), so I don't know if this is even exploitable, since the id parameter is quoted. If it weren't, it would be fair game, but I don't see a way out of this one without single quotes.

If I'm missing anything obvious, let me know!

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software