I'm currently testing Vulnerabiltys to SQL Injections for my companys application as an it-trainee.
So I found, that the application is indeed vulnerable to injections because I can alter some of the insert statements.
So I altered the insert Statement to this:
INSERT INTO tablename( column, column1, column2, column3, column4,column5, column6, column7, column8 )
VALUES ( 10965972, 185796154, 25, 23,2023, '', CURRENT_DATE, 'v0201100',
18);
DELETE *
FROM tablename;-- , 2023,'a', CURRENT_DATE, 'v0201100', 18 )
I thought this should be a correct statement, but the MySQL Server returned this Error: MySQL Error: 1064 (You have an error in your SQL syntax;[...]
Would be nice if somebody could help and tell my why the syntax is wrong...
Thanks for your help :-)
Edit: Thanks for all your answers. :) Unfortunatly the * wasn't the Problem. I tried to execute the statement (statement is executed by php) without the delete part so the statement looks like this:
[...] VALUES( 10963455, 182951959, 23, 23,2023, '', CURRENT_DATE, 'v0201100', 18)--, 2023, '', CURRENT_DATE, 'v0201100', 18 )
But even then the MySQL Server returned the Same Error. Here is the Full Error Message:
MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--, 2023, '', CURREN' at line 17) Session halted.
Would really appreciate it if anyone knew the problem.
If that sample chunk of query is executed in a SINGLE ->query() call, MySQL's driver doesn't allow multiple queries within a single query call. It eliminates the bobby tables type injection attacks, but doesn't prevent injecting values that would manipulate where clauses and whatnot.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With