I’m a college student and I’m in a class about computer security. I have a final project that I had to come up with so I decided to do a project where I create my own website and run a DoS attack and SQL Injection (I will also be doing a buffer overflow attack on my own VM). So I am creating a website using ASP.NET using Visual Studio 2019. I have not really worked with ASP.NET and I’m just trying to make a basic website. So far I have a webpage where you can view “Customers” and you can search for one. So I am creating this code so that I can SQL Inject and I understand the correct way to implement this. Here is my code so far
This a model class where my actual vulnerable SQL Command is being run
using MySql.Data.MySqlClient;
using System;
using System.Collections.Generic;
using System.Text;
namespace bullAndTrue.Models
{
public class CustomerContext
{
public string ConnectionString { get; set; }
public CustomerContext(string connectionString)
{
this.ConnectionString = connectionString;
}
private MySqlConnection GetConnection()
{
return new MySqlConnection(ConnectionString);
}
public List<Customer> GetCustomers(string name)
{
List<Customer> customerList = new List<Customer>();
using(MySqlConnection conn = GetConnection())
{
conn.Open();
MySqlCommand myCmd = new MySqlCommand("SELECT * FROM Customers WHERE firstName LIKE '%" + name + "%'", conn);
using(var reader= myCmd.ExecuteReader())
{
while(reader.Read())
{
customerList.Add(new Customer()
{
idCustomers = Convert.ToInt32(reader["idCustomers"]),
firstName = reader["firstName"].ToString(),
lastName = reader["lastName"].ToString(),
address = reader["address"].ToString()
});
}
}
}
return customerList;
}
}
}
Here we can see my command
SELECT * FROM Customers WHERE firstName LIKE '%userInput%'
is the vulnerable part. Here I should be able to input ‘;– and get the list of all customers. Instead of getting a list of all customers I get an error instead (Which is awesome that there are security options but that’s the whole point of this project is to skip security!)
Error:
MySql.Data.MySqlClient.MySqlException: ‘You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘–%” at line 1’
I have been trying to figure out how to bypass this error and get the query I need. I have been trying to use different versions of dependencies but I can’t figure out what is blocking me from doing the injection. Here are a list of my relative dependencies:
- MySql.Data Version= 8.0.22
- Microsoft.AspNetCore Version= 2.1.7
My server is running on an AWS instance and its running MySQL version 5.5 (Lowest I could go; Maybe this is the problem?)
This is my first time posting so hopefully I’m doing it right. If you need more information I will be happy to post it. Any help is appreciated!
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
In MySQL, the — (double-dash) comment style requires the second dash
to be followed by at least one whitespace or control character (such
as a space, tab, newline, and so on). This syntax differs slightly
from standard SQL comment syntax, as discussed in Section 1.7.2.4,
“’–‘ as the Start of a Comment”
Ref: https://dev.mysql.com/doc/refman/8.0/en/comments.html
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0