0

I am trying to inject into a dummy website I have made, its a simple form which uses the text input to send data to my php file and then outputs the data gathered. The following is my code for the SQL.

$id = $_GET['id']; $id = $_GET['id']; $data = $conn->query('SELECT * FROM users WHERE username = ' . $conn->quote($id)); foreach($data as $row) { echo $row['id'].' '.$row['username']; }

When I try to use things such as unions I get no data back and if I put an apostrophe at the end of the URL I don't get a MySQL error. Could someone please explain why the site is secure from SQL injections?

As there are some confusions as to what I asked my final goal is to be able to get into the information schema so I have been trying to use statements like to get into the schema but without success:

' and 1=1 union select table_name,table_schema from information_schema.tables where table_schema='users' #
Improve this question
7
  • 5
    that is vulnerable to sql injection. Commented Dec 9, 2013 at 15:30
  • 1
    It should be but I can't seem to hack into it, could you recommend a test line to see I can get in incase mine are incorrect? Commented Dec 9, 2013 at 15:31
  • 1
    yet another question on magic quotes... Why upvote a thousand-times-duplicate - a question. Commented Dec 9, 2013 at 15:32
  • 3
    Please show the exact query strings used. Commented Dec 9, 2013 at 15:32
  • 3
    Since you control that file, print out the query to make sure it looks correct. If there is anything modifying $_GET (like having magic_quotes on), you'll be able to see. Commented Dec 9, 2013 at 15:34

4 Answers 4

Reset to default
3

Other apparently may have missed what you were asking...

You are INTENTIONALLY trying to sql-inject your own site, such as for personal learning on how NOT to, but also see what impacts sql-injection CAN do. If so, take a look at your statement and see "what would I need to add to fake it out".

"SELECT * from users WHERE username = '$id'"

If the user puts a value such as "Bill" for the $id, it would become

"SELECT * from users WHERE username = 'Bill'"

and run no problem. Now, you want to inject and see ALL users, a common way is to close the quote and then add something else that will always return true... such as a user puts a value of 

' OR 1=1 ;--

The above would result in

"SELECT * from users WHERE username = '' OR 1=1;-- '"

The semi-colon and dashes are important to "finish" the original query, and then indicate that anything after the dashes are comments so it won't try to execute anything AFTER the otherwise dangling close quote from your original query build construct.

Hopefully that helps answer why you may be failing while TRYING to inject into your own site.

COMMENT FEEDBACK

I don't know why my version would not work, I am not trying to union anything, just force an all records returned.

With respect to your UNION clause, that looks ok, but if your users table has 3 columns and your UNION is only 2 columns, that should fail as the union should be the same number of columns as in the original query. THAT would cause a failure on execution, but not enough specific information to confirm.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

It was you who missed actually
@YourCommonSense, I respectfully disagree with you as he even states he's trying to force a union and putting the closing quote in his URL string. There are times I DO miss things in a post, but I think I'm accurate on this... so to for the response offered from "ins0". So if you downvoted, I would suggest you remove it from both answers.
Congratulations on getting to the question point. Now you need to take another step and get the premises stated in it.
@YourCommonSense, I thought I DID by replying to the poster that they were INTENTIONALLY trying to sql-inject... or do you mean something else.
@YourCommonSense@DRapp I have update the question to make it clearer, and @DRapp the line you have said does not output anything, and I know this shouldn't be the case because the site is vulnerable to SQL injection
|
0

Most likely, you have magic quotes enabled, which is saving your otherwise-vulnerable code.

Don't rely on it.

Improve this answer

5 Comments

@Niet Magic quotes is off, is there anything else that should be off?
@user2157179: Besides the enable-flag for ext/mysql? Seriously. Stop using it. There is no good reason to use it, and a thousand reasons to switch to mysqli or PDO.
@YourCommonSense Rep points? Mmmmm, they're spicy! But honestly, I'm past the point of caring about points. Seriously, I have 115,000, what's another 10-20 more? And if you're the one who downvoted me, then I'm laughing harder because your -2 hit to my score means nothing.
@cHao I disagree, technically mysql is somewhat less vulnerable. For instance, an attack like this simply won't work because mysql doesn't support multiple queries in a single call. Of course, you can wreak significant damage with a ' OR 1='1 injection, but sanitise and you're good. But that's just, like, my opinion, man.
@NiettheDarkAbsol: Your opinion is incorrect. :) You have to actually use $mysqli->multi_query($sql) in order to get multi-statement support. (query will return false, and $mysqli will report a syntax error right at the beginning of the second statement.) PDO is less strict in this regard, but both APIs also support prepared statements -- which expose "sanitize and you're good" as noobish BS, when you can literally read from /dev/random and pass it as a parameter without escaping it at all, and without being the least bit concerned about SQL injection.
0

As it can be clearly seen from either question and answers, most people don't understand what injection is. For some strange reason everyone takes injection consequences for injection itself. While injection is just a query creation. No more, no less.

So, the result of injection is not whatever data returned, but mere SQL query string. Thus, what the OP have to check is the resulting SQL query. It is extremely simple a task, as primitive as just echoing the query string out. This will reveal injection possibility immediately, without toilsome guesswork and sophisticated query building.

Simple output like this

SELECT * from users WHERE username = 'Bill\''

will tell you that magic quotes are on and whole question is a thousand-times-duplicate and not-a-real-one at once.

UPDATE

For some strange reason the code in the question mysteriously has been changed to invulnerable PDO based code. Which leads me to believe that whole performance were just a mere trolling.

Improve this answer

3 Comments

Your apparent cynical response, and briefly reviewing your obvious disgust with S/O from your metaStackOverflow profile, why do you stay here... If I don't like a television station, I don't tune in to it. And unlike as you state, so many just post "do this", I try to be informative on WHY certain things work to help others become more informed should they encounter similar issues in the future. It's been a while since intentionally trying sql-injection as web development is not a primary, but not everyone knows of "magic quotes".
@DRapp yup I've seen this guy hating on every answer. Look at how many downvotes he provided. Grumpy hypocryte. No idea how old he is,but he's extremely childish and he ruins it for beginners on SO.
@Loko, yup, everyone is expected to be an expert and know how / what to "search" for and know how to interpret other answers for their own situation. If I don't understand something to begin with, how can I compare that to someone else. I'm having problems learning OpenGL, C++ and graphics animation and gaming, yet strong in SQL and programming... doesn't make me understand OpenGL and the graphics pipelines.
0

Your injected SQL String should look like this

-1'/**/UNION/**/SELECT/**/1,@@VERSION/**/FROM/**/users/**/WHERE/**/1='1

as you need to close the last ' in the final sql query

Update:

like Your Common Sense pointed out

For some strange reason the code in the question mysteriously has been changed to invulnerable PDO based code. Which leads me to believe that whole performance were just a mere trolling.

Improve this answer

3 Comments

please explain the downvote, this is exactly why he can't inject any sql code
I think it was @YourCommonSense who downvoted both you and I... We (you and I) both understand the user is TRYING to inject on purpose, the other does not (respectfully disagree though).
somebody just want to see the world burn - i upvoted your answer - nice and clean! but i think he get into trouble with the -- at the end, because -- don't work sometimes on specific systems

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.