a friend of mine built a web application that I'm testing for fun. I noticed that he allows a user to set the limit of a certain query, and that limit is not sanitized. For example, I can choose any number or string I like as a limit. I realize that this is SQL Injection and I can easily inject SQL commands, but is it really possible to extract any data or do any damage with a LIMIT?
Ex of the query
SELECT * FROM messages WHERE unread = 1 LIMIT **USER INPUT HERE**
I understand that if the injection was in the WHERE clause I could've easily done a UNION SELECT to extract any information, but is that really possible if the user input was after the limit?
For more information, my friend is using mysql driver so you can't really execute two queries, a thing such as
SELECT * FROM messages WHERE unread = 1 LIMIT 10;DROP TABLE messages--
is not possible.
Aucun commentaire:
Enregistrer un commentaire