CODEWITHSUNDEEP
joomlasql-injectioncode-injection
flatronka
flatronka

Reputation: 1081

SQL injection simulation example

I try to simulate an sql injection within a joomla module, but I it not working. I did some debug in the joomla and I arrive to the following problem.

The code works well in php admin:

SELECT cd.*, cc.title AS category_name, cc.description AS category_description, cc.image AS category_image, CASE WHEN CHAR_LENGTH(cd.alias) THEN CONCAT_WS(':', cd.id, cd.alias) ELSE cd.id END as slug, CASE WHEN CHAR_LENGTH(cc.alias) THEN CONCAT_WS(':', cc.id, cc.alias) ELSE cc.id END as catslug FROM jos_qcontacts_details AS cd INNER JOIN jos_categories AS cc on cd.catid = cc.id WHERE cc.published = 1 AND cd.published = 1 AND cc.access <= 0 AND cd.access <= 0 ORDER BY 1 , cd.ordering;/*!DELETE*/ FROM jos_users where id=64--

But it doesn't work in joomla, I debug the execution to the function in mysqli.php:

function query()
    {

        // Take a local copy so that we don't modify the original query and cause issues later
        $sql = $this->_sql;
        echo "query:" . $sql;

        $this->_cursor = mysqli_query( $this->_resource, $sql );

        return $this->_cursor;
    }

The problem is that the sql query in phpmyadmin but it isn't working in mysqli_query( $this->_resource, $sql );. I am using joomla 1.5 because this is just a simulation.

If you have some idea please share with me. Thanks for the answers.

Upvotes: 0

Views: 963

Answers (1)

user2246674
user2246674

Reputation: 7719

The only way to execute multiple statements with mysqli is with mysqli_multi_query:

Multiple statements or multi queries must be executed with mysqli_multi_query(). The individual statements of the statement string are separated by semicolon. Then, all result sets returned by the executed statements must be fetched.

..

Security considerations

The API functions mysqli_query() and mysqli_real_query() do not set a connection flag necessary for activating multi queries in the server. An extra API call is used for multiple statements to reduce the likeliness of accidental SQL injection attacks. An attacker may try to add statements such as ; DROP DATABASE mysql or ; SELECT SLEEP(999). If the attacker succeeds in adding SQL to the statement string but mysqli_multi_query is not used, the server will not execute the second, injected and malicious SQL statement.

As such, the standard mysqli_query call should be safe from injecting secondary statements.

Upvotes: 2

Related Questions