[VIM] On SQL injection and PHP mysql_query...

Heinbockel, Bill heinbockel at mitre.org
Mon Jun 26 15:49:12 EDT 2006

In one sentence:
SQL command execution in BtitTracker 1.3.2, as claimed by r0t,
is not possible.


As for the details:
As a follow-up to my posting 2 weeks ago,
regarding a disclosure from r0t detailing a couple of
SQL injection vectors in BtitTracker, I have found some
time to test to see if SQL command execution is possible
following an SQL "ORDER BY" clause. In sort, PHP mysql_query
does not appear to permit multiple queries:

I have been noticing an increase in questionable SQL
injection vulnerabilities. One of note is the reported
BtitTracker injection vulnerabilities as disclosed by

Here the vulnerable parameters are listed as being
"by" and "order". After some source code analysis,
it is shown that these variables are used after an
SQL "ORDER BY" clause.

>From line 175 in torrents.php:
> $query = "SELECT summary.info_hash as hash, ... FROM summary 
> LEFT JOIN namemap ON summary.info_hash = namemap.info_hash
> LEFT JOIN categories ON categories.id = namemap.category 
> $where ORDER BY $order $by $limit";

Therefore, the only opportunity for SQL command execution
is via multiple SQL statements - multiple statements
separated via semicolons ";".

The query is later used in a mysql_query call in PHP.
The PHP documentation says that the semicolon character
should not be used in the query, however it does not
specify what happens if it is...

After some experimentation, it is not possible to
perform any serious SQL injection. The best you can
do is cause an error or cause a different ordering,
grouping, or counts of the original query results.

Thus, be cautious of automatically labeling things as
SQL injection. SQL command execution is not possible
(at least on mysql) after a SQL "ORDER BY", "GROUP BY",
or "LIMIT" clause.

William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org

More information about the VIM mailing list