Can you sneak "paste" into the "select" instructions?
Is it possible to sneak an "insert" statement (or anything else that changes the database) in a MySQL "select" statement?
I am asking because I am concerned that I discovered an injection vulnerability, but it is protected from sheer chaos such as
'; drop database; --
only being able to run one statement at a time, no matter how many query statements were corrupted to contain. But if the back end is doing something like
select bar from foo where param = '$improperly_escaped_input'
, is there something I can contribute that would compromise my database?
The vulnerability must be fixed independently. But if I can show an example of how it can be used to freeze data, fixing it goes in the priority queue.
source to share
Data modification is just one aspect of the Sql Injection vulnerability. Even with read permissions, an attacker can elevate their privileges or use a Blind Sql Injection attack to flush every last bit of data from your database.
I can't think of how it would depend on me that the data is changed inside a select statement ... but are you sure you can only run one command at a time ?
No matter what other attack vectors should be sufficient to raise the priority in this issue.
MySQL allows a subquery to reference a stored function, which has data-dependent side effects such as inserting rows into a table. For example, if f () inserts rows, the following query might modify the data:
SELECT ... WHERE x IN (SELECT f() ...);
This behavior is non-standard (not permitted by the SQL standard). In MySQL, it can produce undefined results because f () can take a different amount of time for different executions of a given query, depending on how the optimizer decides to process it.
source to share