Conditional/Executable Comments in MySQL/SQL Server - mysql

Before I begin, I realize that what I'm attempting is bizarre and hackish. It's just for an isolated pen test, specifically SQL Injection.
What I need to do is write a SQL statement that behaves differently when executing on a MySQL database than it does when executing on a SQL Server Database.
Edit
The limitation of the Query I can build is that I can only change what's after the "WHERE id =" clause. I can't affect any other part of the query. Specifically, I need to be able to attach a " UNION SELECT * FROM some_other_table" that only gets executed by the SQL server to the end of my input.
This obviously would blow up MySQL because it doesn't have the tables I'm unioning.
Specifically:
SELECT * FROM USERS
WHERE id = My input -> (MySQL code: 'x' or 1=1 )
(MSSQL code 'x' or 1=1 UNION SELECT * FROM table)
The problem is, if either statement gets executed by the database it wasn't meant for, it blows up (and not in the way I need it to).
This lead to my discovery of Conditional/Executable Comments in MySQL.
SELECT * FROM USERS
WHERE id = /*! This will be executed but only by mysql */
That's great but I still can't prevent MySQL from executing MSSQL! I can only stop MSSQL from executing MySQL code.
My initial idea was to have a comment inside the MySQL conditional like:
SELECT * FROM USERS
WHERE id = /*! 4 or 1=1 --*/ MSSQL code that is ignored by mysql
But this throws an error saying to check my syntax at a line with nothing on it near ''.
I don't fully understand why this doesn't work but I know doesn't work with any form of MySQL comment I know of (Tried #, /*).
Is there a way to get my strange SQL statement to work? Or is there a way to do a conditional comment in MSSQL? I really just need MySQL to ignore anything after it's conditional but I have no idea how to make that happen without comments.


I'm not sure if this is what you need, but if I understand correctly you want one SQL statement that returns different results on MySQL vs. SQL Server (if that's what "behaves differently" means?). If so, one place to start would be using a system function that has the same name and syntax but different behaviour, such as SUBSTRING():
select substring('test', -1, 1)
On SQL Server that returns an empty string, but on MySQL it returns t. I don't know if using SUBSTRING() is viable in your case, but if not you may be able to find another function that's easier to use in your query.
If this doesn't help at all then I suggest you provide some more details about what limitations you have in building your query.

Related

SQL injection attack in LIKE clause

I have a file that runs a SQL query:
SELECT * FROM items WHERE name LIKE "%<String Passed to It>%"
I am trying to test for basic web security here. How can I break this query to drop the items table, without using spaces or semi-colons

Try setting the value of the to be:
'\gDROP TABLE items\g--
You will need to escape that apostrophe.
Making you're query look like this:
SELECT * FROM items WHERE name LIKE '%'\gDROP TABLE items\g--%'
In mySQL \g is equivalent to a semi-colon. However, I'm not sure if spacing is required as I do not currently have a local installation of mySQL set up, and I do not know exactly what language and framework you're using to execute that query.
However, the other comments are right that using a prepared statement and parameters rather than building the SQL string in code is the way to go in trying to prevent SQL Injection attacks.
See here

No database selected. MySQL Query Browser

I am using MySQL Query Browser 1.2.17. My problem is that using EXACTLY the same query sometimes I get No database selected error.
I tried to find any dependence in using USE database; or FROM database.table.
I have no idea when will I get an error and when I won't and if I get I don't know how to solve this (since there is in the query USE database;).
UPDATE AND SOLUTION:
Since the problem was independent neither on the USE database; nor FROM database.table and has been observed RANDOMLY (ex. run query, it works, then immediately run again with the same query and it didn't work anymore), I recreated the database simply filling it with data from backup and it helped.

Best practice to write query.
databasename.tablename
example
SELECT * FROM database.table where 1 = 1

Query Mysql to find is a statement is valid (NOEXEC perhaps)

Is there any way in mysql to determine of a sql statement is valid before executing it? (In other word rather than execute the stamens and deal with errors I simply want to know if it is a valid statement)
I notice in Mysql workbench that then I type a query it checks it for validity, so I assume there is a way to do that?
In essence I am trying to "precheck" the sql at runtime to see if it is even valid with actually executing it.
Perhaps using the NOEXEC statement?

You can use something called 'SQL Fiddle', you have to build a schema first and then start running your sql queries, see link below:
http://sqlfiddle.com/

SELECT MySQL using Sql Developer

I managed to connect to MySQL DB via Sql Developer following this guide. MySQL DB shows and I can expolre tables via the navigator. However, I could not run SELECT statement to show any of these tables. In MySQL workbench I used to use :
use [database_name]
Then, run select statement in that database. But in Sql developer, I am not sure what should I add to the statement to make it work. I have tried the following:
select *
from [table_name].[database_name];
It does not work. I found this tutorial, but nothing is mentioned about simple select statement. Any help is deeply appreciated.

AFAIK, except MySQL specific commands; all other standard SQL commands like SELECT,INSERT,UPDATE,DELETE should work just fine using SQL Developer. but per your posted query, it looks total strange.
Your query
select * from [table_name]#[database_name];
remove that # sign.
you should qualify like database_name.table_name.
Unless it's a typo, remove those [] as well from your query
statement.
Your query should look like
select * from database_name.table_name;

You can always write your SQL including database as well, in the form of:
database.tablename
such as:
select * from wordpressdb.usertable where username="someone"

Error running SQL in MS-Access with ODBC connection to MYSQL

I was helping a non-profit migrate MS-Access data to MYSQL. So, I ported data to MYSQL and created links in ms-access to MYSQL tables using ODBC. Majority of the existing SQL works fine. However I am stumped on this one error -
You have an error in your SQL syntax check the manual that corresponds to your MySQL server version for the right syntax to use near UNION...
I have stripped the SQL with 7 UNIONS to bare bones where it still fails.
(SELECT 1 as A FROM Households H)
UNION ALL
(SELECT 2 as A FROM Households H)
UNION ALL
(SELECT 3 as A FROM Households H)
The part that is getting to me is that I am able to run above successfully as long as I run only one UNION meaning below SQL, but the moment I add a third one, it gives ODBC error
(SELECT 1 as A FROM Households H)
UNION ALL
(SELECT 2 as A FROM Households H)
I tried using ` or ' or [] but none of these helped. The reason I am frustrated with this error is that either it should fail with all or none, it gives an error only when using two or more UNION clauses. Could this be a potential bug in driver?
I am using mysql-64 bit on win-7 64bit with ms-access and a 32-bit driver. It shouldn't be an architecture problem as I am able to run other queries with multiple UNIONs, and accessing the same set of tables.
It would be great if someone can give pointers on how to debug this further.

In my version of Access, when I edit a query in Design (SQL) view there are three buttons at the top. "Union", "Pass-Through", and "Data Definition".
If I click "Pass-Through" your query works. If I click "Union" it breaks. Can you get away with using "Pass-Through" for this query?
Even in "Union" or "Data Definition" mode, this seems to work:
(SELECT 1, column1 as A FROM Households H)
UNION ALL
(SELECT 2, column2 as A FROM Households H)
UNION ALL
(SELECT 3, column3 as A FROM Households H);
Maybe Access is confused by only a single column?
Alternatively, just use a a multiplex table instead of a union:
SELECT mux.id,
IIf(mux.id=1,column1,IIf(mux.id=2,column2,column3)) AS A
FROM Households, mux;
Note: mux table should have 3 values in it 1,2,3. If it has more, you'd want to limit to the first 3 (or n) in a where clause.

It is a known MySQL problem: more than two UNION SELECT statement problem (with MS Access) but I don't know if the problem is in the MSAccess SQL parser (which compiles to ODBC SQL), or in the MySQL ODBC driver (which compiles ODBC SQL to MySQL SQL)
To work it out, I'd have to look at the ODBC log, and the ODBC specification, and see if Access was emmitting valid ODBC SQL.
That would be a waste of effort, since it makes more sense to use a pass-through query anyway. The main reason for using a native MSAccess query in this place would be to join to different data sources - for example, an Excel Spreadsheet and a MySQL table -, and according to the comments on the MySQL bug report, the problem goes away when you do that.

I am not sure about where the problem lies, but I think (though it's only an assumption) that this is on MS Access side. I had two UNION queries, each of them was putting some other queries together. Both used somewhat complicated sub-queries so I had lots of problem to create a pass-through query and I didn't want to use MySQL "views".
Surprisingly one of my queries worked, the other showed an error. My idea is that the working query used some Access features while the other was some kind of SELECT ... FROM's .
I don't know the rules but I think that when your query is simple, Access sends it to external database engine and puts one more bracket and causes an error. If you do a comlicated query, Access gets all data it needs and makes all necessary operations itself. For example, you may try to create a pivot query, that uses MSSQL TRANSFORM statement, which does not exist in MySQL, so it is obvious that Access handles it itself. So why couldn't it make SELECT by itself? I don't know. Maybe some performance reasons?
My working query differed from the other that it had one more (string) field that was calculated by built-in Access function. It used also Access & operator, which has another meaning (logical AND) in MySQL. (By the way to join strings in MySQL use CONCAT function). They of course need to be evaluated by Access, because MySQL does not understand this method of joining strings together.
I suggest just to make UNION not from tables, but from queries (like SELECT * FROM tablename and nothing more) and giving them a field that you don't need but that will force Access to handle the query. So a query (in Access) should look like this:
SELECT tablename.*, [somefield1]&[somefield2] AS useless_field FROM tablename;
(in my Access 2000 operations like "a" & "b" or IIf(true;true;false) were probably simplified and solved, so it didn't work. I think one needs at least one dynamic field to evaluate. I also did no performance tests. Probably it would be fastest if you add to integers, maybe just increase your index by 1?).
Then, of course, you join it together:
SELECT * FROM query1
UNION ALL
SELECT * FROM query2
UNION ALL
SELECT * FROM query3
UNION ALL
...
SELECT * FROM queryn
;
You don't need this useless_field of course.
I agree that this is a workaround but I have no other ideas.