stackoom
  简体   繁体   中英

SQL Injection within a stored procedure?

 原文  2013-05-09 10:30:58       php/ mysql/ sql/ mysqli/ sql-injection

Question

I've found somewhere in the code where a string isn't being escaped properly. I've been trying to see if it is exploitable (don't worry, I'll end up escaping it or using prepared statements anyway, this is just for a learning experience).

This is using mysqli->query() function;

The Query is generated in PHP like so: 

$Query = "CALL some_proc(".$_SomeID.",'".$_UnescapedString."')";

By inputting $_UnescapedString as test'); DROP TABLE SomeTable; -- test'); DROP TABLE SomeTable; -- test'); DROP TABLE SomeTable; -- I got the query: 

CALL some_proc(1, 'test'); DROP TABLE SomeTable; -- ')

This query was successfully run but it seems that it didn't run the second query. I tested this by putting invalid SQL in the second query and got no errors. I assume this means mysqli is smart enough to only execute a single query?

Now my question is, can I somehow inject SQL into the stored procedure itself? Here is the procedure: 

BEGIN
   SELECT COUNT(*) AS SomeCount
   FROM DataTable
   WHERE DataTable.SomeID = _SomeID
   AND DataTable.SomeValue LIKE CONCAT('%',_UnescapedString,'%');
END

I've tried various SQL such as test','%')-- to see if the query would carry on as normal, but it only changes the stored procedure call, ie: 

CALL some_proc(1, 'test', '%')--');

Is there anyway to get a DROP TABLE command into _UnescapedString ?

1 answers

solution1
 1  2013-05-09 10:43:05

Disclaimer, I use SQL Server and not mySQL, but assuming the behavior with regards to parameters in stored procedures is the same, and also assuming that _UnescapedString is an input parameter, putting DROP TABLE in the parameter would look like this: 

SELECT COUNT(*) AS SomeValue
FROM DataTable
WHERE DataTable.SomeID = _SomeID
AND DataTable.SomeValue LIKE '%DROP TABLE%');

With regards to the query: 

CALL some_proc(1, 'test'); DROP TABLE SomeTable; -- ')

Maybe the DROP TABLE command did not execute due to the user account under which you are running having insufficient permissions to execute DDL statements?

Restricting the permissions of the user account being used to access the database from the web server is a way to limit the damage that an SQL Injection attack could cause. However, it won't stop them.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Possible SQL injection dropping a table with stored procedure? Are following MySql stored procedure vulnarable to sql injection? Is a prepared statement inside a stored procedure safe from SQL injection? Am I safe from SQL Injection by using a stored procedure instead of query? SQL server : stored procedure How to call a stored procedure within another stored procedure (PHP and mysqli) Php Sql Server Stored Procedure Running SQL Stored Procedure in PHP Laravel SQL Server Stored procedure SQL Query with Extended Stored Procedure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM