Tuesday, January 23, 2007

SQL Injection and MyODBC

Recently I was attempting to exploit what have should have been a very vanilla SQL Injection attack. The webserver was Microsoft IIS6 serving ASP pages. This server was using MySQL's MyODBC Driver to allow this application to connect to a backend MySQL database. However, everything I tried only yielded an error message similiar to:



Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 3.51 Driver][mysqld-5.0.26-standard-log]You have an error in your SQL sytanx; check the manual that corresponds to your MySQL server version for the right sytanx near ';DROP table userinfo' at line 1

/test/test.asp, line 192


Having access to the asp file, I could see that the SQL Query was basically:

SELECT * FROM userinfo where user = Request.QueryString('user_id');

Normally it would be trivial to modify the HTTP Request to be:

/test.asp?user_id=bob%3BDROP%20table%20userinfo%20--

So that the SQL query would effectively become:

SELECT * FROM userinfo where user ='bob'; DROP TABLE userinfo; --


However, for some reason I could not get this to behave as expected. I was able to append other SQL syntax (AND, OR, etc) and get the desired results, but I was not able to DROP that particular table. After much digging, I ran across the following email thread:

gmane.comp.db.mysql.odbc/2003-06/msg00142.html

As it turns out the MyODBC does NOT support multiple SQL commands. While this seems to be a minor irritant for the developer in the email thread, it does provide the unintentional benefit of preventing alot of SQL Injection attacks..

There appears to be a "bug" ticket open with MySQL on this, and it appears that this could potentially be addressed in the upcoming release of MyODBC. In the meantime, for all of you web application security testers out there, maybe this can conserve some of your valuable testing time.

Labels:

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home