Comments on: Exploiting SQL Injections In Insert Statements http://www.notsosecure.com/folder2/2007/10/07/exploiting-sql-injections-in-insert-statements/ From Pentesters To Pentesters Sat, 22 Oct 2011 05:42:18 +0100 http://wordpress.org/?v=2.8.4 hourly 1 By: Arvind http://www.notsosecure.com/folder2/2007/10/07/exploiting-sql-injections-in-insert-statements/comment-page-1/#comment-95552 Arvind Wed, 07 Apr 2010 08:20:12 +0000 http://www.notsosecure.com/folder2/2007/10/07/exploiting-sql-injections-in-insert-statements/#comment-95552 A late comment but one none the less ;) . Say there's a situation where there is just 1 field which is vulnerable to SQL Injection and the query passed to the DB is an Insert query...just like you mentioned here. For simplicity lets say its numeric like you say. Lets say its PHP-MySQL(so no stacked queries) like admin';drop table blah# Now what's the max that can be done by an attacker here? The way I see it he can: --- By crafting a SELECT query like you mention, detect that a dynamic query is being used. Hence be able to insert the result of the SQL query as a value which is part of the Insert query. --- However there is no way he can select data from other tables whose name he does not know and cannot enumerate. So unless you guess tables etc there isn't much you can do..rt? Is there something I have missed? Thnx Arvind A late comment but one none the less ;) . Say there’s a situation where there is just 1 field which is vulnerable to SQL Injection and the query passed to the DB is an Insert query…just like you mentioned here. For simplicity lets say its numeric like you say. Lets say its PHP-MySQL(so no stacked queries) like admin’;drop table blah#

Now what’s the max that can be done by an attacker here? The way I see it he can:
— By crafting a SELECT query like you mention, detect that a dynamic query is being used. Hence be able to insert the result of the SQL query as a value which is part of the Insert query.

— However there is no way he can select data from other tables whose name he does not know and cannot enumerate. So unless you guess tables etc there isn’t much you can do..rt?

Is there something I have missed?

Thnx
Arvind

]]>