Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Batched (or stacked) queries SQLi

secf00tprint | Last updated: Jul 03, 2020 08:41PM UTC

At https://portswigger.net/web-security/sql-injection/cheat-sheet chapter #Batched (or stacked) queries it is written: "MySQL Does not support batched queries." Perhaps I understand it wrong, but when I'm starting a mysql instance running : sudo docker run --name some-mysql -e MYSQL_ROOT_PASSWORD=my-secret-pw -d mysql sudo docker exec -ti some-mysql mysql -uroot -pmy-secret-pw I can do: SELECT table_name FROM information_schema.tables; select @@version; ... | x$user_summary_by_stages | | x$user_summary_by_statement_latency | | x$user_summary_by_statement_type | | x$wait_classes_global_by_avg_latency | | x$wait_classes_global_by_latency | | x$waits_by_host_by_latency | | x$waits_by_user_by_latency | | x$waits_global_by_latency | +------------------------------------------------------+ 311 rows in set (0.01 sec) -> ; +-----------+ | @@version | +-----------+ | 8.0.20 | +-----------+ 1 row in set (0.00 sec) Do I miss something?

secf00tprint | Last updated: Jul 05, 2020 08:43PM UTC

Verified it: The mysql client seems to take the queries apart and send them individually to the database. If you test it directly in a SQLi or in code, it doesn't work.

Michelle, PortSwigger Agent | Last updated: Jul 06, 2020 02:18PM UTC

Hi Have the tests you've done to verify things have helped you to clear things up? Please let us know if you still have any questions.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.