发表新帖
发表新帖

How do I demonstrate a Second Order SQL Injection?

前端 未结
关注
2 950
既然无缘
既然无缘 2020-12-10 18:58

So I\'ve been trying to replicate a second order SQL Injection. Here\'s an example template of two php based sites that I\'ve prepared. Let\'s just call it a voter registrat

相关标签:
2条回答
  • 無奈伤痛
    2020-12-10 19:43

    What is there to demonstrate?

    Second order SQL injection is nothing more than SQL injection, but the unsafe code isn't the first line.

    So, to demonstrate:

    1) Create a SQL injection string that would do something unwanted when executed without escaping.

    2) Store that string safely in your DB (with escaping).

    3) Let some other piece of your code FETCH that string, and use it elsewhere without escaping.

    EDIT: Added some examplecode:

    A table:

    CREATE TABLE tblUsers (
  userId serial PRIMARY KEY,
  firstName TEXT
)

    Suppose you have some SAFE code like this, receiving firstname from a form:

    $firstname = someEscapeFunction($_POST["firstname"]);

$SQL = "INSERT INTO tblUsers (firstname) VALUES ('{$firstname }');";
someConnection->execute($SQL);

    So far, so good, assuming that someEscapeFunction() does a fine job. It isn't possible to inject SQL.

    If I would send as a value for firstname the following line, you wouldn't mind:

    bla'); DELETE FROM tblUsers; //

    Now, suppose somebody on the same system wants to transport firstName from tblUsers to tblWhatever, and does that like this:

    $userid = 42;
$SQL = "SELECT firstname FROM tblUsers WHERE (userId={$userid})";
$RS = con->fetchAll($SQL);
$firstName = $RS[0]["firstName"];

    And then inserts it into tblWhatever without escaping:

    $SQL = "INSERT INTO tblWhatever (firstName) VALUES ('{$firstName}');";

    Now, if firstname contains some deletecommand it will still be executed.

    0 讨论(0)
  • 感情败类
    2020-12-10 19:57

    Using a first name of:

    ' OR 1 OR '

    This will produce a where clause in the second SQL of

    WHERE FirstName = '' OR 1 OR ''

    Therefore the result will be the first record in the table.

    By adding a LIMIT clause, you can extract all rows from the table with:

    ' OR 1 ORDER BY UserID ASC LIMIT 0, 1 --

    Obviously it will only extract 1 row at a time, so you would need to repeat that and increment the 0 in the LIMIT. This example uses a comment -- to terminate the remaining SQL which would otherwise cause the query to fail because it would add a single quote after your LIMIT.

    The above is a simple example, a more complex attack would be to use a UNION SELECT which would give you access to the entire DB through the use of information_schema.

    Also you are using addslashes() in one of your queries. That is not as secure as mysql_real_escape_string() and in turn: escaping quotes with either is not as secure as using prepared statements or parameterised queries for example in PDO or MySQLi.

    0 讨论(0)
 看不清?
提交回复
热议问题