SQL Injection and MyODBC
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[MySQL][ODBC 3.51 Driver][mysqld-5.0.26-standard-log]You have an error in your SQL sytanx; check the manual that corresponds to your MySQL server version for the right sytanx near ';DROP table userinfo' at line 1
/test/test.asp, line 192
Having access to the asp file, I could see that the SQL Query was basically:
SELECT * FROM userinfo where user = Request.QueryString('user_id');
Normally it would be trivial to modify the HTTP Request to be:
So that the SQL query would effectively become:
SELECT * FROM userinfo where user ='bob'; DROP TABLE userinfo; --
However, for some reason I could not get this to behave as expected. I was able to append other SQL syntax (AND, OR, etc) and get the desired results, but I was not able to DROP that particular table. After much digging, I ran across the following email thread:
As it turns out the MyODBC does NOT support multiple SQL commands. While this seems to be a minor irritant for the developer in the email thread, it does provide the unintentional benefit of preventing alot of SQL Injection attacks..
There appears to be a "bug" ticket open with MySQL on this, and it appears that this could potentially be addressed in the upcoming release of MyODBC. In the meantime, for all of you web application security testers out there, maybe this can conserve some of your valuable testing time.
Labels: Web App Sec