Chain-Based SQL Injection

Chain-Based SQL Injection

[B]the study of security web applications stumbled on the possibility of an
attack such as the introduction of SQL injection unusual way.

All user data, which fall into the base with a query like INSERT filtered
using the mysql_real_escape_string().

However, under certain circumstances, data from the database were part of
another query to the database in which they no longer held the filtration.

Thus, through mysql_real_escape_string() to write to the database string
types:

Code:

[/B]'Union all select version() /*

[B]Which is already being part of another query, which does not directly

depend on the user data already played the role of the classic SQL

injection.



As a result, the second request, which gave the performance of operators

was as follows:

Code:

[/B]select mixvalue from datas where name like '%' union all select version()/*%'

[B]

To call such a thing could be as something like "a stored SQL injection",

but in view of connectivity requests me more like the version of the "chain

based SQL injection".



Below give the example of vulnerable code.

Code:

[/B]<?php$con = mysql_connect(“localhost”,”user”,”pass”);if (!$con){ die(‘Could not connect: ‘ . mysql_error());}
mysql_select_db(“dbase”, $con);
if (strlen($_GET['name'])>2) { $r = mysql_query(“insert into sqli values(4,‘”.mysql_real_escape_string($_GET['name']).”‘)”);}
$result = mysql_query(“SELECT * FROM sqli”);
while($row = mysql_fetch_array($result)){ echo “< p/ >User < font color=’red’>”.$row['name'].”</ font>”; echo “< br />”; $curname=$row['name']; $r = mysql_query(“select mixtext from datas where mixtext like‘%”.$curname.”%’”); echo “< br/>Associated data:”; while($row = mysql_fetch_array($r)) {   echo “< br/>——— “.$row['mixtext']; }}
mysql_close($con);?>

---