MariaDB Stacked Queries
Context
In this article, we will explore the exploitation of MariaDB stacked queries in the context of SQL injection attacks. This technique allows an attacker to execute multiple SQL statements in a single request, which can lead to severe security vulnerabilities if inputs are not properly validated. This guide assumes that you are familiar with basic SQL syntax, database transactions, and the HTTP request/response model.
Theory
Stacked Queries in SQL Injection
Stacked queries, also known as multi-statement or multi-query SQL injection, involve executing multiple SQL statements in a single query. This technique exploits the lack of input validation in applications to execute several commands consecutively by separating them with semicolons. This sequence of semicolon-separated queries enables attackers to perform a variety of actions, such as modifying or dropping tables, inserting logs, or even changing user roles.
MariaDB Specific Considerations
MariaDB inherently supports multiple statements separated by semicolons. This capability can become a vulnerability if input handling allows semicolons within user inputs, potentially leading to arbitrary execution of commands. Improper validation and sanitization of these semicolons within inputs can expose the application to significant risks.
Bypassing Prepared Statements
While prepared statements are generally used to prevent SQL injection, poorly configured systems may still be vulnerable to stacked queries. Prepared statements can unintentionally allow additional queries if these statements are appended through injection following legitimate commands. Recognition and exploitation of this loophole can lead to unauthorized execution of commands.
Practice
MariaDB Stacked Query Injection
When manually exploiting stacked query injection in a MariaDB environment, follow these methodical steps to execute multiple queries through a single injection point:
-
Injecting a Dropping Table Command
Consider an initial point of injection that allows retrieval of user data by ID:
SELECT * FROM users WHERE id=1; DROP TABLE users;
By injecting a semicolon, you execute both the query to select user information and subsequently drop the 'users' table.
-
Modifying a User Role
Another use case involves elevating user privileges by changing their role:
SELECT * FROM users WHERE id=1; UPDATE users SET role='admin' WHERE id=1;
Here, after retrieving user data, a subsequent update query modifies the role of the user with id 1 to 'admin'.
-
Logging an Injected Action
An example showing the injection of a logged statement into an application's logs:
SELECT * FROM users WHERE id=1; INSERT INTO logs (action) VALUES ('injected');
This injection allows for adding an 'injected' action entry into the logs table immediately following the selection query.
In each of these examples, the outcome is the successful execution of multiple commands within a single SQL request, illustrating the potential impact of stacked query vulnerabilities.
Tools
- sqlmap
- Burp Suite
These tools can be employed to facilitate the exploration and exploitation of stacked query vulnerabilities, providing automated and interactive interfaces for crafting and testing multiple query injections.