WackoPicko/Stored-SQL-Injection

From aldeid
Jump to navigation Jump to search
You are here:
Stored SQL Injection

Description

When users create an account, they are asked to supply their first name. This supplied value is then used unsanitized on a page that shows other users who have a similar first name. An attacker can exploit this vulnerability by creating a user with the name "';DROP TABLE users;#" then visiting the similar users page.

Proof of Concept

Note
Notice that you are unlikely to be able to realize this attack unless you use an old version of MySQL. Indeed, MySQL has now a protection mechanism that prevents from concatenating requests with a semi-column.

How to detect?

How to protect against it?

Code

As we can see in the similar_login() function of the include/users.php script, the first request (tagged with the comment VULNERABLE REQUEST) is not properly sanitized):

  function similar_login($login, $vuln = False)
  {
     if ($vuln)
     {
        /*** VULNERABLE REQUEST ***/
        $query = "SELECT * from `users` where `firstname` like '%{$login}%' and firstname != '{$login}'";
     }
     else
     {
        /*** SANITIZED REQUEST ***/
        $query = sprintf("SELECT * from `users` where `firstname` like '%%%s%%' and firstname != '%s'",
                         mysql_real_escape_string($login),
                         mysql_real_escape_string($login));
     }
     $res = mysql_query($query);
     if ($res)
     {
        while ($row = mysql_fetch_assoc($res))
        {
           $to_ret[] = $row;
        }
        return $to_ret;
        
     }
     else
     {
        if ($vuln)
        {
           die(mysql_error());
        }
        return False;
     }
     
     
  }

Comments

Talk:WackoPicko/Stored-SQL-Injection