Can you sneak "paste" into the "select" instructions?

Is it possible to sneak an "insert" statement (or anything else that changes the database) in a MySQL "select" statement?

I am asking because I am concerned that I discovered an injection vulnerability, but it is protected from sheer chaos such as '; drop database; --

only being able to run one statement at a time, no matter how many query statements were corrupted to contain. But if the back end is doing something like select bar from foo where param = '$improperly_escaped_input'

, is there something I can contribute that would compromise my database?

The vulnerability must be fixed independently. But if I can show an example of how it can be used to freeze data, fixing it goes in the priority queue.


source to share

1 answer

Data modification is just one aspect of the Sql Injection vulnerability. Even with read permissions, an attacker can elevate their privileges or use a Blind Sql Injection attack to flush every last bit of data from your database.

I can't think of how it would depend on me that the data is changed inside a select statement ... but are you sure you can only run one command at a time ?

No matter what other attack vectors should be sufficient to raise the priority in this issue.

EDIT: Modification of data is allowed in MySql subqueries :

MySQL allows a subquery to reference a stored function, which has data-dependent side effects such as inserting rows into a table. For example, if f () inserts rows, the following query might modify the data:

SELECT ... WHERE x IN (SELECT f() ...);

This behavior is non-standard (not permitted by the SQL standard). In MySQL, it can produce undefined results because f () can take a different amount of time for different executions of a given query, depending on how the optimizer decides to process it.



All Articles