mardi 10 février 2015

SQL Injection Issue Multi-line query



I am currently doing a SQL Injection attack against a website in school(that the tech created) sadly I can't point anyone to the site in question, the teacher has allowed us to gain knowledge as necessary. I do have permission to test against this site before people ask why I want to know the answer. I have found what I think is an injectable uname field to create a new user on the website however whenever I try and use multi-line queries the query fails to execute.Before running an INSERT query it seems that a SELECT query is run to check if the uname already exists in the system.


I'm assuming the username field is exploitable as if I create a new user with a single quote in their surname:



uname: o'connor


I get the following verbose SQL error:



OH DEAR - unable execute SQL query: SELECT * FROM usertable WHERE uname='o'connor'


However If I try and use a semi-colon and run a multi-line statement it fails to execute, for example:



uname: admin'; UPDATE usertable SET password='pass' WHERE uname='admin';


An error occurred:



OH DEAR - unable execute SQL query: SELECT * FROM usertable WHERE uname='admin'; UPDATE usertable SET password='pass' WHERE uname='admin'; '


the PHP script that processes the POST data seems to add a single quote on the end but my understanding was that my injected query would execute before reaching this single quote. Am I executing multi-line queries properly?


**UPDATE I have also tried:



uname: admin'; UPDATE usertable SET password='pass' WHERE uname='admin'; --


to no avail same issue that it is unable to execute and I know all these column names and table names are correct. Is there anyway I could output the original query to a text file or something like that or when the results are returned change the value of something that is output on the page to the passwords?





Aucun commentaire:

Enregistrer un commentaire