0

I was solving one of TryHackMe's rooms about SQL injection.But I couldn't figured out one thing that came to my mind and after spending lots of time I thought it's best to ask that question here. In the room there is a machine to deploy, after deployed machine it gave me an interface(webapp) that takes inputs from me like so :

enter image description here

And if you give it a value like test. It returns following output:

enter image description here

When I saw it, I thought it was an easy SQLi question so I tried most basic SQLi payloads for common dbms like so:

  1. ' ; sleep(1) --
  2. ' or 1=1 -- ...

But none of them worked and returned me an error message like that: enter image description here

After that failure, I run sqlmap and it found 2 types of SQLi payload with following payloads:

enter image description here

Then I realized that in time based SQLi, sqlmap used ||. Then I tried to send '|| (select sleep(2)) -- . And it worked. Now my question is why my first payload(' ; select sleep(2) -- ) didn't work, but this one worked ?

BooRuleDie
  • 55
  • 5
  • Possibly because MySQL cannot cope with standard `--` comments if there's no space following them. Try to make sure there's a space after `--` or use the MySQL specific `#` for marking the rest of the line as a comment. – sticky bit Dec 16 '21 at 19:31
  • I tried both of them when I was trying to find a payload that works. But none of them worked. – BooRuleDie Dec 16 '21 at 19:33

1 Answers1

1

By default, MySQL query interfaces do not support multiple queries separated by semicolon. To get that, the application would have to explicitly request this feature to be enabled when it connects to the database. There's a connect option for that.

So by default, any type of SQL injection that works by trying to append a malicious query after a semicolon doesn't work.

But an SQL injection that works by modifying an expression in the single query can still work.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828