SQL injection on MySQL 5 + PHP 5 system

[s0c0]

I am pen testing a clients system (I did not write the orignal code) and I am able to login as a customer using a SQL injection hack due to some poorly written SQL and other issues.  My question is if its possible to execute to multiple queries using PHPs mysql_query and/or mysqli_query functions, for instance:

 

The query written by developer A looks like this:

 

$sql = "
SELECT * FROM clients WHERE username='$user' AND key='$password'
";
$result = mysql_query($sql);

 

My hack turns the query into this:

$sql = "
SELECT * FROM clients WHERE username='$user' AND key='' OR ''=''
";
$result = mysql_query($sql);

 

My question is if its possible to pass in 2 queries and have it properly execute and return a result set.  For instance the end query would look something like this after the injection:

 

$sql = "
SELECT * FROM clients WHERE user='$user'; SELECT * FROM customers;
"

[PFMaBiSmAd]

The php mysql client does not support multiple queries. The php mysqli does.  But you can always just inject a UNION SELECT * FROM customers onto the end of any SELECT query, which is why it is imperative that ALL external data be validated and use mysql_real_escape_string() on string data and force numeric data to be numbers of the correct type.

[s0c0]

Glad I asked.  I was unable to duplicate using mysql_query, but now at least I know mysqli_query is vulnerable.

[s0c0]

Actually I think you are incorrect.  I ran this test and it did not work.

 

$sql = "SELECT * FROM office; SELECT * FROM office";
$result = mysqli_query($db->LINK,$sql);
$row=mysqli_fetch_assoc($result);
print_r($row);

[PFMaBiSmAd]

It depends on which mysqli query statement you use. If you are concerned with security, it is important that you read the manual section for what you are doing to get all the available information.