How to exploit the "PHP_MAGIC_QUOTES ON" vulnerability in order to cause max damage?
In PHP you cannot stack querys with a semicolon. However you can nest a query into another with parentheses (commonly called subqueries), e.g.:
SELECT * FROM vulnerable_table WHERE id = (SELECT number from other_table)
Using this technique (disregarding whether you output your SQL result or not) a keen attacker may extract all data from your database.
Example (with output on the web page)
SELECT * FROM vulnerable_table WHERE id = (SELECT group_concat(table_name) from information_schema.tables WHERE version = 10)
This query will result in a list (as a string) of all user-defined tables in your database. Further queries will reveal the columns and let the adversary gain full knowledge of your table structure (for example: "tbl_accounts, tbl_passwords, tbl_guestbook").
If you don't give any output on your web page an attacker might still inject a conditional (think: case-when) statement with his SQL subquery, which will result in an SQL error in one case and no error in the other case. Deriving from "no output at all" and your normal webpage you can gather 1 Bit of information and perform a binary search through your database.
Generating strings in an SQL query like the one you suggested to upload a PHP-Backdoor (depending on whether the current MySQL user has the FILE privilege, which he shouldnt ;)) is also not that hard to come by: Using the ascii(), and ord() functions you can just create your strings with integer inputs. Also a value like 0x414141 will automatically converted to 'AAA' in MySQL.
Regarding very advanced attack and filter evasion techniques I also recommend you to read Reiners' blog on SQL security: http://websec.wordpress.com/
For completeness's sake: To fix this vulnerability, you can just perform a typecast and transform $_GET['id'] to an integer.
If your company is in any way a part of regulations requiring security (like SOX or HIPPA in the US) or trade standards (like PCI or various ISO standards), all you have to do is tell them that:
- you've found holes that could let anyone download the entire database and network (stretch the truth a bit if you have to sell it, and remind them of the ACS:Law leak).
- give them hard numbers about how much time and money it cost other companies that lost data or got hacked.
- that if you're ever audited, the company can be fined or dropped for not complying to standards.
- that if you're ever sued or prosecuted, and there is any evidence whatsoever that you ignored a known or major potential problem, punitive damages could be enough to drive the company into bankruptcy. (See the Ford Pinto lawsuit.)
This will work better if you can talk the company lawyer into delivering the bad news. If that doesn't work, there's nothing that can save your company.
Whatever you do, forget exploiting the vuln yourself. You open yourself up to lawsuits and jail time if you do that without written permission, though a little evidence that shows it working on a test account you specifically set up for the purpose might work.
Here is possible information extraction (like files reading or database user information extraction) and server resources consumption. First is achievable by using UNION statement in query. Second is done by using BENCHMARK() function. Data extraction is also possible by the use of mentioned function.
I don't want to show examples here - they are all over the internet. And I suppose, as system maintainer you're able to reproduce cases. If you really need them, comment.
By the way, you don't need semi colon to be supported to be able to write to files (access to write to file is needed, though).