Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SQL Injection on INSERT

I'm currently testing Vulnerabiltys to SQL Injections for my companys application as an it-trainee.

So I found, that the application is indeed vulnerable to injections because I can alter some of the insert statements.

So I altered the insert Statement to this:

INSERT INTO tablename( column, column1, column2, column3, column4,column5, column6, column7, column8 ) 
VALUES ( 10965972, 185796154, 25, 23,2023, '', CURRENT_DATE, 'v0201100',
18); 

DELETE * 
  FROM tablename;-- , 2023,'a', CURRENT_DATE, 'v0201100', 18 )

I thought this should be a correct statement, but the MySQL Server returned this Error: MySQL Error: 1064 (You have an error in your SQL syntax;[...]

Would be nice if somebody could help and tell my why the syntax is wrong...

Thanks for your help :-)

Edit: Thanks for all your answers. :) Unfortunatly the * wasn't the Problem. I tried to execute the statement (statement is executed by php) without the delete part so the statement looks like this:

[...] VALUES( 10963455, 182951959, 23, 23,2023, '', CURRENT_DATE, 'v0201100', 18)--, 2023, '', CURRENT_DATE, 'v0201100', 18 )

But even then the MySQL Server returned the Same Error. Here is the Full Error Message:

MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--, 2023, '', CURREN' at line 17) Session halted.

Would really appreciate it if anyone knew the problem.

like image 799
freddy Avatar asked Jul 13 '26 05:07

freddy


1 Answers

If that sample chunk of query is executed in a SINGLE ->query() call, MySQL's driver doesn't allow multiple queries within a single query call. It eliminates the bobby tables type injection attacks, but doesn't prevent injecting values that would manipulate where clauses and whatnot.

like image 130
Marc B Avatar answered Jul 14 '26 19:07

Marc B



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!