Discussion:
[sqlmap-users] SQL Injection in INSERT
e***@gmail.com
2011-02-11 17:38:04 UTC
Permalink
Hello!!

I and my colleague have a problem for university, teacher say that we need
to upload or modify an existing file and execute function of phpinfo();. We
are seeing php code, and we think that sql injection is by this code:

$sqlp = ", ($isdn, '$user2' )";
$sql = "INSERT DELAYED INTO library (isdn, user) VALUES ($isdn,
'$user')$sqlp";

All GET and POST parameters from this php code are filtered with
escapeshellcmd function but not parameter of user2, because is value from
HTTP_X_FORWARDED_FOR. I know that I can modify header of HTT_X_FORWARDED_FOR
and inject sql code, but I don't know how to save a file, maybe with UNION
... INTO OUTFILE? I had tried, but not worked (syntax error).

Another information of problem is that user of db is root.

Thanks!

--
Jarred
Miroslav Stampar
2011-02-11 22:34:23 UTC
Permalink
hi Jarred.

you haven't stated which DBMS are you dealing with. probably MySQL?

if it's MySQL, I think that this line is not the one affected. you
won't be able to use stacked queries for MySQL/PHP for sure, while
also you won't be able to use INSERT statement to dump into file.

also, for sure, you won't be able to "modify" existing files.

kr

p.s. to read first 50 hex chars from C:\test.txt using that INSERT you
described:

http://192.168.117.129/test_environment/mysql/get_int.php?isdn=1&user=3&user2=2'
AND (SELECT 9822 FROM(SELECT COUNT(*),CONCAT((SELECT
MID(HEX(LOAD_FILE('c:/test.txt')),1,50)),FLOOR(RAND(0)*2))x FROM
library GROUP BY x)a) AND 'bla'='bla
Post by e***@gmail.com
Hello!!
I and my colleague have a problem for university, teacher say that we need
to upload or modify an existing file and execute function of phpinfo();. We
$sqlp = ", ($isdn, '$user2'    )";
$sql = "INSERT DELAYED INTO library (isdn, user) VALUES ($isdn,
'$user')$sqlp";
All GET and POST parameters from this php code are filtered with
escapeshellcmd  function but not parameter of user2, because is value from
HTTP_X_FORWARDED_FOR. I know that I can modify header of HTT_X_FORWARDED_FOR
and inject sql code, but I don't know how to save a file, maybe with UNION
... INTO OUTFILE? I had tried, but not worked (syntax error).
Another information of problem is that user of db is root.
Thanks!
--
Jarred
------------------------------------------------------------------------------
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
sqlmap-users mailing list
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
--
Miroslav Stampar

E-mail: miroslav.stampar (at) gmail.com
Alternate: miroslav.stampar (at) mail.ru
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
Loading...