[VIM] On SQL injection and PHP mysql_query...
sullo at cirt.net
Mon Jun 26 16:42:07 EDT 2006
Quoting "Heinbockel, Bill" <heinbockel at mitre.org>:
>> From line 175 in torrents.php:
>> $query = "SELECT summary.info_hash as hash, ... FROM summary
>> LEFT JOIN namemap ON summary.info_hash = namemap.info_hash
>> LEFT JOIN categories ON categories.id = namemap.category
>> $where ORDER BY $order $by $limit";
> Therefore, the only opportunity for SQL command execution
> is via multiple SQL statements - multiple statements
> separated via semicolons ";".
Won't it allow you to use a union, such as:
'union select ...' when injected into $limit?
mysql should be happy with the syntax as long as ' isn't filtered out
somewhere along the line. Now, I'm not sure if you can make it do
something useful via the union select...
http://www.cirt.net/ | http://www.osvdb.org/
More information about the VIM