How do I make SQL injection is this vulnerable query-CodePudding

I have this query that receives a parameter from user input and I think that I am vulnerable to SQL injection.

$query = "SELECT pcode,price,description
FROM products 
WHERE description like '%" . $search_criteria . "%' ORDER BY PRICE ";

To test it to see if the if it's really vulnerable I am trying to send the following input

%';DELETE FROM products WHERE cid=18;#

so that the delete instruction is runned but the resultant query from this input is the following.

pcode,price,description FROM products WHERE description like '%%';DELETE FROM products WHERE cid=18#' %' ORDER BY PRICE

Although my testing parameter appears the in result SQL, the rest of the SQL ( "%' ORDER BY PRICE) wasn't ignored by the #.

What adjustments do I need to make so that my input deletes the testing row?

Output

SQL Error:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELETE FROM products WHERE cid=17;-- %' ORDER BY PRICE' at line 1
SQL Statement:SELECT pcode,price,description FROM products WHERE description like '%%';DELETE FROM products WHERE cid=17;-- %' ORDER BY PRICE
Did you run setupreset.php to setup/reset the DB?

How the backend executes the query

$query = "SELECT pcode,price,description FROM products WHERE description like '%" . $search_criteria . "%' ORDER BY PRICE ";
$result = execute_query($query);

CodePudding user response：

which target DBMS are you trying to hack? Basically you can use below condition as a try:

%';DELETE FROM products WHERE cid=18;--'

see the script: https://www.db-fiddle.com/f/3jC8PGeZZEuty3XVq8gdzz/1

CodePudding user response：

An SQL injection attack that relies on executing a second SQL statement separated by a semicolon (;) may not work. Most connectors for MySQL do not support multi-query by default, so each call can only run one SQL statement.

When you try to inject a semicolon followed by a second statement, you get an error as soon as the parser finds DELETE following the semicolon, because a second statement is not allowed if the interface doesn't enable multi-query. You would get the same error no matter what you put after the semicolon, because semicolon should be the end of the query input.

Even if the connector supports multi-query, it won't work with prepared statements because prepared statements themselves don't support multi-query.

Cf. https://dev.mysql.com/doc/c-api/8.0/en/c-api-multiple-queries.html:

The multiple statement and result capabilities can be used only with mysql_real_query() or mysql_query(). They cannot be used with the prepared statement interface. Prepared statement handlers are defined to work only with strings that contain a single statement.

So chances are you cannot do the type of SQL injection attack you're trying to test. You could do an SQL injection that changes the expression in the WHERE clause, or which appends UNION and a second SELECT query of your choosing.