Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: MySQL trick for SQL injection
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Fri, 06 Nov 2009 10:04:54 -0600

--On Friday, November 06, 2009 06:55:22 -0600 Vladimir Vorontsov 
<vladimir.vorontsov () onsec ru> wrote:

Good day!

I recently encountered a problem with the implementation of SQL injection.

I wanted to write a file with the code interpreter to execute commands, but
in the end always append bracket, which I thought was supposed to be a

Comments at the end of the query to be filtered. The last character is
always append a closing parenthesis. Use a null-byte, too, was impossible.

Was an injection of this type:

$query = "select bla-bla from content_comments where user_id in (select
user_id from User where id =".removeBadChars($_GET['id']).");";
Where removeBadChars () kills such things as:
but leaves /**/
I wanted to write a script to execute commands in a file. The rows included
in the first select, but the presence of brackets before inkludom demanded
its closure after it. Besides tricky function is not allowed to finish a
comment form - or /* at the end of the query.

As a result, very surprised, because that's such an option:

select bla-bla from content_comments where user_id in (select user_id from
User where id = 1/**/into/**/outfile/**/"/var/www/avatars/img.php")

recorded in the file the result of EXTERNAL select!.

Checked in
MySQL 4.1.22
MySQL 5.1.x

What privileges did the user who performed the select have?

INTO OUTFILE is a dangerous routine (as you've clearly demonstrated), but that 
privilege must be specifically granted to a user before it's possible to 
execute it.  No sensible administrator would grant the FILE privilege to a 
webserver application's database acccount.  (Usually SELECT, INSERT, and UPDATE 
should be enough.)

OTOH, if you've found a way to execute FILE without having that privilege 
granted to the account, you've uncovered a serious problem.

Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]