1

Suppose the server side code is something like that:

String id = getIdFromHttpRequest();
String value = getValueFromHttpRequest();

ResultSet rs = new ResultSet();
String query = "INSERT INTO users VALUES ('" + id + "', '" + value + "');"
rs = SQL.doQuery(query); // i know it's not the syntax, but the point is clear

Well, the injection is easy, I can make it execute an SQL command, but the problem is I want to see the result set (I inject SELECT command).

Is there a way of doing so?

Floern
  • 33,559
  • 24
  • 104
  • 119
  • There is a lot of material out there on SQL injection attacks. The general idea is that the query is build dynamically and that the injection circumvents the expected scenario of simply inserting typical user input (parameter values). – shawnt00 May 12 '18 at 20:16
  • You are right, but my question is how can i see the value as the server won't print out the result set (as it expects it to do an INSERT command) –  May 13 '18 at 17:07
  • Yes, that's why you have to find creative ways to piggyback on what the existing system does. – shawnt00 May 13 '18 at 22:45

1 Answers1

0

You probably cannot achieve this.

As you know, an INSERT statement has no result set, even if you use SQL injection. At best, you could make it execute a SELECT as a scalar subquery. It's not hard to spoof your example to execute the following:

INSERT INTO users VALUES ('8675309', '' || (SELECT ...blah blah...) || '');

But that still would not return a result set, because INSERT never has a result set.

You would need to execute a second query to do that. Some query interfaces do support multi-query in a single call to doQuery(), but this is not always true (depends on the brand of database you use, and possibly some configuration options).

INSERT INTO users VALUES (...whatever...);
SELECT * FROM secure_table WHERE (id = '8675309');

With SQL injection, you can manipulate the SQL, but you can't manipulate the rest of the code in the application that runs the SQL. In the example you show, the app is designed to run an INSERT query, not an INSERT followed by a SELECT. The app would have no reason to fetch a result set after executing an INSERT.

It's hard to imagine how you could use SQL injection alone to trick the code you show into fetching and displaying a result set.

I don't think it is possible to use SQL injection do read data by exploiting a non-reading query.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
  • I know INSERT command doesn't return anything, and that's the problem. I can't change the server's code but only to inject code via data, value. my question is - can I somehow view the result of the SELECT command I'm injecting? –  May 13 '18 at 17:02
  • by the way, the injection I thought of wasn't using string concatenation but something like value = " '); SELECT * from users WHERE '1' = '1" –  May 13 '18 at 17:05
  • That would resemble my second example above. There is still no way to make the application code fetch results if the code wasn't designed to do that. – Bill Karwin May 13 '18 at 17:06
  • Also it's not certain that the query API accepts multiple queries in one call. For example, MySQL doesn't support multi-query by default, it requires a connect option. – Bill Karwin May 13 '18 at 17:07
  • About your second comment - it's my fault for not mentioning, I was assuming the API supports multiple queries. –  May 13 '18 at 17:33
  • About the first one - so, the answer to my question is no, it is not possible? –  May 13 '18 at 17:35
  • Right, it is not possible. – Bill Karwin May 13 '18 at 19:06