0

I try to simulate an sql injection within a joomla module, but I it not working. I did some debug in the joomla and I arrive to the following problem.

The code works well in php admin:

SELECT cd.*, cc.title AS category_name, cc.description AS category_description, cc.image AS category_image, CASE WHEN CHAR_LENGTH(cd.alias) THEN CONCAT_WS(':', cd.id, cd.alias) ELSE cd.id END as slug, CASE WHEN CHAR_LENGTH(cc.alias) THEN CONCAT_WS(':', cc.id, cc.alias) ELSE cc.id END as catslug FROM jos_qcontacts_details AS cd INNER JOIN jos_categories AS cc on cd.catid = cc.id WHERE cc.published = 1 AND cd.published = 1 AND cc.access <= 0 AND cd.access <= 0 ORDER BY 1 , cd.ordering;/*!DELETE*/ FROM jos_users where id=64--

But it doesn't work in joomla, I debug the execution to the function in mysqli.php:

function query()
    {

        // Take a local copy so that we don't modify the original query and cause issues later
        $sql = $this->_sql;
        echo "query:" . $sql;

        $this->_cursor = mysqli_query( $this->_resource, $sql );

        return $this->_cursor;
    }

The problem is that the sql query in phpmyadmin but it isn't working in mysqli_query( $this->_resource, $sql );. I am using joomla 1.5 because this is just a simulation.

If you have some idea please share with me. Thanks for the answers.

Improve this question
0

1 Answer 1

Reset to default
2

The only way to execute multiple statements with mysqli is with mysqli_multi_query:

Multiple statements or multi queries must be executed with mysqli_multi_query(). The individual statements of the statement string are separated by semicolon. Then, all result sets returned by the executed statements must be fetched.

..

Security considerations

The API functions mysqli_query() and mysqli_real_query() do not set a connection flag necessary for activating multi queries in the server. An extra API call is used for multiple statements to reduce the likeliness of accidental SQL injection attacks. An attacker may try to add statements such as ; DROP DATABASE mysql or ; SELECT SLEEP(999). If the attacker succeeds in adding SQL to the statement string but mysqli_multi_query is not used, the server will not execute the second, injected and malicious SQL statement.

As such, the standard mysqli_query call should be safe from injecting secondary statements.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Not that I know of, for secondary statement injection - but I always use placeholders, limit permissions, and don't otherwise concern myself with such matters. Other injection vectors still apply.
thank you, you helped me a lot, I learn a new prevention. You have an idea for possibly attack in this case ?
I have changed the database controller to mysql which is the same just uses the mysql_query() function instead of mysqli_query() and I have the same response, the user is there, nothing happened.
@flatronka I believe mysql_query has the same default of not allowing multiple statements. Use mysqli_multiple_query to "enable" this form of SQL injection.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.