MySQL does support stacked queries, it's usually the programming language that's interacting with it that does not. Looking into this, I found a neat PHP function that allows stacked queries, http://www.php.net/manual/en/mysqli.multi-query.php
There is also a white paper (pg 6) that states that ASP .NET supports stacked queries to MySQL, I would be interested in experimenting with this. http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf mysql> select sysdate(); select sysdate(); +---------------------+ | sysdate() | +---------------------+ | 2010-07-21 11:41:36 | +---------------------+ 1 row in set (0.00 sec) +---------------------+ | sysdate() | +---------------------+ | 2010-07-21 11:41:36 | +---------------------+ 1 row in set (0.00 sec) mysql> On Tue, Jul 20, 2010 at 5:00 PM, Ulisses Castro <[email protected]> wrote: > MySQL doesn't support stacked querys, unfortunately you can't stack > querys like postgresql, mssql, ... > > On Tue, Jul 20, 2010 at 7:09 PM, Michael McGrew > <[email protected]> wrote: >> If you can inject SQL could you end the query with ; then start a new >> select query where you use INTO OUTFILE? >> >> This is why it's not working: >> "An INTO clause should not be used in a nested SELECT because such a >> SELECT must return its result to the outer context. " >> http://dev.mysql.com/doc/refman/5.0/en/select.html >> >> >> >> On Tue, Jul 20, 2010 at 2:23 PM, Robin Wood <[email protected]> wrote: >>> I sent this to the webappsec mailing list but thought I'd send it here >>> as well looking for some SQL Injection experts. >>> >>> >>> ---------- Forwarded message ---------- >>> >>> I've got a vulnerable web app with a MySQL backend where I can inject >>> into an INSERT query and I want to create a file. With a SELECT I >>> would use a UNION and then SELECT whatever INTO OUTFILE "filename" but >>> how do you do it with an INSERT query? >>> >>> I tried: >>> >>> INSERT INTO size VALUES (22, (SELECT "abc" INTO OUTFILE "/tmp/test")) ; >>> >>> That executes and size gets a new row with 22 and "abc" in it but it >>> doesn't create the file. >>> >>> I also tried an UPDATE and had the same problem: >>> >>> UPDATE size SET big=22 WHERE big = (SELECT "abc" INTO OUTFILE "/tmp/test"); >>> >>> The update happens where big="abc" but no outfile. >>> >>> Can it be done? >>> >>> Robin >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
