MySQL INSERT/UPDATE Injection PoC

Heya! It's been a long while since I wrote something here so I'd though I'd dust of the blogger keyboard and get some posts going. To start off I will cover the MySQL Injection in INSERT and UPDATE statements.

What injection points in an INSERT query can we extract data from? In the previous INSERT post we covered the VALUES() injection point (INSERT INTO tbl_name (column_name) VALUES ([here]), ([and here])) but there are other ways to forge an INSERT statement.

INSERT INTO tbl_name SET column_name = '[here]'

INSERT INTO tbl_name (column_name1, column_name2) SELECT 'hello', '[here]'

The problem with the first case is that we don't know the column names and the second one, we don't know the column count. Since we don't know the column names, we cant insert another "SET column_name = value" into the first statementso we will have to figure out a way to get around this. And for the second, we also have to figure out something we can insert without screwing up the query.

So what can we do?

We can add to the string value that already exists! But, what can we do with just a string value? Well. All bitwise operations (NOT, OR, XOR, AND) work, and no need for spaces ! Let's merge an injection to work with the first scenario.

'XOR(SLEEP(1))OR' becomes:

INSERT INTO tbl_name SET column_name = ''XOR(SLEEP(1))OR'' [...]

It works, and it returns 0 from the XOR operation! Now let's try put that into the second query.

INSERT INTO tbl_name (column_name1, column_name2) SELECT 'hello', ''XOR(SLEEP(1))OR''

It also works! Splendid. What about UPDATE and SELECT statemens? Yup, it's the same with those.

I have written a neat Proof of Concept to this that searches GET (Yes I know, who the hell would insert something from a GET variable? But whatever!) variables and common Headers (Including referer and user-agent) for these kinds of injections and here is the sourcecode!

http://downloads.ackack.net/MySQL Injection INSERT PoC.rar

That's it! Ciao.

PS. If you use the abbreviation "SQLi" you deserve to be engulfed in the eternal flames of hell. DS.

Sup, I'm Mathias and I was born 1991. It feels like I should really write something here.

3 Comments

  1. black says:

    Install the .net 4.0,Run Error -.-

  2. Mathias Karlsson says:

    @black. Yeah, you need the .Net Framework 4.0... I'll compile it for a lower framework version and update when I have the time. You can however download it for free from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9cfb2d51-5ff4-4491-b0e5-b386f32c0992

  3. black says:

    灰常感谢! Thacks :D

Leave a Comment