Tuesday 14 November 2017

php - SQL Injection within a stored procedure?

I've found somewhere in the code where a string isn't
being escaped properly. I've been trying to see if it is exploitable (don't worry, I'll
end up escaping it or using prepared statements anyway, this is just for a learning
experience).



This is using
mysqli->query()
function;




The Query is generated in
PHP like so:



$Query = "CALL
            some_proc(".$_SomeID.",'".$_UnescapedString."')";


By
inputting $_UnescapedString as test'); DROP TABLE
SomeTable; -- I got the
query:



CALL some_proc(1, 'test');
            DROP TABLE SomeTable; --
            ')



This
query was successfully run but it seems that it didn't run the second query. I tested
this by putting invalid SQL in the second query and got no errors. I assume this means
mysqli is smart enough to only execute a single
query?



Now my question is, can I somehow inject
SQL into the stored procedure itself? Here is the
procedure:



BEGIN
 SELECT
            COUNT(*) AS SomeCount
 FROM DataTable
 WHERE DataTable.SomeID =
            _SomeID
 AND DataTable.SomeValue LIKE
            CONCAT('%',_UnescapedString,'%');
END



I've
tried various SQL such as test','%')-- to see if the query
would carry on as normal, but it only changes the stored procedure call,
i.e:



CALL some_proc(1, 'test',
            '%')--');


Is there
anyway to get a DROP TABLE command into
_UnescapedString?

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...