Let update and insert be injected like select

By ay shadow
 
Heya! Its been a long while since I wrote something here so Id though Id dust of the blogger keyboard and get some posts going. To start off I will cover the MySQL Injection in INSERT and UPDATE statements.

What injection points in an INSERT query can we extract data from? In the previous INSERT post we covered the VALUES () injection point (insert into tbl_name (column_name) VALUES ([here]), ([and here]) but there are other ways to forge an INSERT statement.

Insert into tbl_name SET column_name = [here]
Insert into tbl_name (column_name1, column_name2) SELECT hello, [here]

The problem with the first case is that we dont know the column nam es and the second one, we dont know the column count. since we dont know the column names, we cant insert another "SET column_name = value" into the first statementso we will have to figure out a way to get around this. and for the second, we also have to figure out something we can insert without screwing up the query.

So what can we do?

We can add to the string value that already exists! But, what can we do with just a string value? Well. All bitwise operations (NOT, OR, XOR, AND) work, and no need for spaces! Lets merge an injection to work with the first scenario.

XOR (SLEEP (1) OR becomes:

Insert into tbl_name SET column_name = XOR (SLEEP (1) OR [...]

It works, and it returns 0 from the XOR operation! Now lets try put that into the second query.

Insert into tbl_name (column_name1, column_name2) SELECT hello, XOR (SLEEP (1) OR

It also works! Splendid. What about UPDATE and SELECT statemens? Yup, its the same with those.

I have written a neat Proof of Concept to this that searches GET (Yes I know, who the hell wowould insert something from a GET variable? But whatever !) Variables and common Headers (Including referer and user-agent) for these kinds of injections and here is the sourcecode!

The principle of this article is to use the order in which SQL statements are executed, such as the statements marked in red, which are calculated by the database engine first.
The value after column_name =, and then insert the value into column_name.

I am a digital type here, so I will not add or to the later xor (). If it is a numeric type, I will use the foreign hacker's language.
Statement XOR (SLEEP (1) OR, the update method is the same as the insert method.

Therefore, we use this method to inject data in the case of insert and update.
In this case, someone will ask how to inject the update and insert statements to modify the database. This is the focus. We should know that mysql has an error injection method. Like mssql, we intentionally make the statement error to display the error information to expose the data we want. The statement is as follows:
Method.1: and exists (select * from (select name_const (version (), 0) a join (select name_const (version (), 0) B) c)

Method.2: and (SELECT 1 FROM (select count (*), concat (floor (rand (0) * 2), (SELECT version () a from information_schema.tables group by) b)
 
Use xor/or in combination with the error statement to inject the statement like select. Haha, it's quite refreshing !~

 

Database Error bird, haha, we achieved it. Xi... Do not drop eggs...