Query: BID 6273: PortailPhp SQL Injection Vulnerability.

From: Vinay A. Mahadik (VMahadik@Qualys.com)
Date: 12/27/02

  • Next message: xa6 at g-Con: "ASM OpenBSD"
    Date: Thu, 26 Dec 2002 16:44:44 -0800
    From: "Vinay A. Mahadik" <VMahadik@Qualys.com>
    To: vALDEUx@aol.com, vuln-dev@securityfocus.com, vuldb@securityfocus.com
    
    

    Hi,

    (Posting on vuln-dev too since this has a generic PHP-MySQL SQL
    Injection Vuln question as well).

    I was working on this vulnerability. I came across the following
    advisory on SecurityFocus-BugTraq:

    http://online.securityfocus.com/archive/1/301572

    I find that Php's mysql_query() only allows one SQL query per call. This
    makes the above vuln non-exploitive, I think.

    If not, I would like to know how to inject some SQL content between
    "LIKE '%" and "%'" (without the " s) and get some meaningful/useful
    response from the server through the mysql_query() query. I have tried
    the usual injections, and only get an error from anything that splits
    the above with semicolons.

    Thanks,
    Vinay.