As a newbie, all I could do was cry helplessly. So, our senior took us to explore a foreign website. It was an **app, but I won’t disclose its name. Together, we found the website’s backend. Since it was deployed with a CDN, we couldn’t locate the real IP address, and no one had any solid ideas. But our senior was truly remarkable—he successfully gained access to the backend in just two days. He documented the entire process in his blog, but due to legal concerns, it was never made public. Instead, he shared a markdown file in the group for everyone to study. The method involved using stacked injection to update the admin’s hashed password and achieve a shell.
Since I wasn’t skilled enough, I had never studied stacked injection before. So, I quickly decided to catch up and not drag down the group’s average level.
Injection Principle
Typically, when we perform SQL injection, we modify the data transmitted through the original SQL statement. The injection is subject to the limitations of the statement itself. For example, with a SELECT statement, we can only perform SELECT operations and cannot execute INSERT, DELETE, or UPDATE commands. The same applies to other types of statements, which means our injection capabilities are quite limited. However, stacked injection breaks these limitations entirely. As the name suggests, it allows stacking multiple SQL statements for injection. This means we are no longer restricted by the preceding statement and can execute commands freely. The principle is straightforward: after constructing the original statement, we add a semicolon to indicate the end of the statement. What follows is a completely new SQL statement, enabling us to perform unrestricted operations like INSERT, DELETE, UPDATE, and SELECT.
Usage Conditions
The conditions for using stacked injection are quite limited. It may be restricted by the API, database engine, or permissions. Stacked injection can only be used when the database function supports executing multiple SQL statements. For example, the mysqli_multi_query() function supports executing multiple SQL statements simultaneously. However, in real-world scenarios, PHP often uses the mysqli_query() function to prevent SQL injection. This function can only execute one statement, and any content after the semicolon will not be executed. Therefore, the conditions for using stacked injection are very restrictive. If it can be used, it poses a significant threat to the website.
I used sqli-labs to study this injection method, specifically Challenge 38, which is character-based.
The first step was to add a single quote to trigger an error.
By directly observing the source code, I found
that unlike the previous challenges, which used the mysql_query function, this one uses mysqli_multi_query.
So, what does this function do?
It becomes clear that this function allows multiple SQL statements to be executed simultaneously.
We attempted the following injection statement: '; insert into users(id,username,password) value (666,'zgao','zgao')--+
No errors occurred, indicating that all commands were executed successfully. At this point, we checked the database.
The data was successfully inserted.
Although the name “stacked injection” sounds sophisticated, it’s not as difficult as I imagined. In fact, it’s even simpler because it doesn’t have as many constraints as other injection methods.
Moreover, our senior’s approach was brilliant. He directly generated a new hashed password, updated the admin’s password, gained shell access, and then reverted the changes.
Finally, here’s a screenshot of our senior accessing the backend. Truly impressive. I bow down in admiration.
Here’s a little secret to share: “Clean Net 2019” Campaign Against Online Pornography: A Record of Penetrating an Adult “TikTok”
And here’s our senior’s blog: http://quyunjie.cn/