I'm doing a college work about web vulnerabilities, and I need to demonstrate in practice some of those vulnerabilities, especially SQL injection. I developed two applications, one in PHP, and one in JSP, but none of those accepts multiple queries, and I need to execute a DROP TABLE from a SQL injection script.
So I already know that mysql_query() escapes multiple queries, and Statement.execute() too, I haven't tried yet with ASP.NET. But is ASP.NET the only web language that allows that in the simplest query syntax? Like mysql_query() is PHP simplest syntax, and st.execute() is JSP's simplest syntax, that means that a lot of web applications uses this syntax.
JSP
String query = "SELECT * from user; DROP TABLE user;-- ";
st = con.createStatement();
st.execute(query);
PHP
mysql_query("SELECT * from user; DROP TABLE user;-- ");
Edit: I was not very clear, I'm making a vulnerable login application, and I need to DROP a table with a SQL injection, like in a query:
"SELECT * FROM user where user ='".$_POST['user']."' AND pass = md5('".$_POST['pass']."')";
I pass in the user field '; DROP TABLE user; -- ', my question is, which web language allows me to do that without using specific functions like mysqli_multi_query()?
Another possibility would be that you could try some roundabout way. Such as having PHP call up a shellexec() and run all the SQL statements through the MySQL console command line via PHP. I am not even sure this can be done, given the interactive nature of the command line here.
Unfortunately it won't really be a way that you can say is common to be used. It seems like all the input suggests that it just can't be done directly these days. At least not the multi-query injection limitation. But that doesn't mean that there are not other SQL injection attacks that can happen.
The one thing that I can think of is using comments or sub-query. With comments you would have to spend a lot of time crafting a solution whereby you add a "--" to the end of your injected SQL to close out the rest of the SQL statement. This would be problematic if there are any line breaks after where your code goes. But using sub-queries seems more possible.
For sub-queries what you would do is probably inject into a search query a value that goes into a WHERE clause.
Example...
Start with this query:
SELECT * FROM students WHERE first_name = 'bobby'; -- Bobby being an unsanitized value.
Becomes:
SELECT * FROM students WHERE first_name = 'bobby' AND (DELETE FROM students WHERE student_id > 0) = true AND '' = '';
In my second example I injected this:
' AND (DELETE FROM students WHERE student_id > 0) = true AND '' = '
Which utilizes the sub-query method to inject an action statement. Check out the page on the SQL standards: http://www.w3resource.com/sql/subqueries/understanding-sql-subqueries.php