[VIM] On SQL injection and PHP mysql_query...

Heinbockel, Bill heinbockel at mitre.org
Mon Jun 26 17:43:24 EDT 2006


Even if UNION statements could be used, the would be operating on
data fields specified in the SELECT, FROM, and WHERE clauses, so
no real useful information could be gathered.

Some functions, however can be used in an "ORDER BY", "GROUP BY",
or LIMIT SQL clause, but their security impact can only be judged
on a case by case basis, as demonstrated by Stefan Esser here:
http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0065.html

So that brings the question, is the failing of an SQL query
really a security vulnerability? I know that Steve refers to
these as "forced SQL errors", but there a threat here?

Or likewise, is the injection of tags into a PHP program that
prevents the proper display of a page (but is somehow immune
to XSS -- maybe by only accepting the < character or something)?

William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615 

>-----Original Message-----
>From: vim-bounces at attrition.org 
>[mailto:vim-bounces at attrition.org] On Behalf Of Sullo
>Sent: Montag, 26. Juni 2006 17:32
>To: vim at attrition.org
>Subject: Re: [VIM] On SQL injection and PHP mysql_query...
>
>Quoting "Steven M. Christey" <coley at linus.mitre.org>:
>
>>
>> On Mon, 26 Jun 2006, Sullo wrote:
>>
>>> Won't it allow you to use a union, such as:
>>>   'union select ...' when injected into $limit?
>>
>> My understanding is that the union has to happen before the 
>order by...
>
>
>well in my db here I did:
>select * from table1 order by 'union select * from table2';
>
>which lead me to believe it's possible. However I've decided that the

>text between the ' marks is being treated as a name and not an sql  
>statement, which makes sense.
>
>so, nevermind :-)
>
>However, injecting a ' would still throw an error... which does not  
>mean it's exploitable, but means you are injecting something into the

>sql stream.  perhaps we need a new term for "sql termination" rather  
>than "sql injection"?
>
>
>
>-- 
>
>http://www.cirt.net/      |     http://www.osvdb.org/
>


More information about the VIM mailing list