Essay on Inject: Sql and Insert into Users

Submitted By TaeH2014
Words: 2603
Pages: 11

SQL Injection in Insert,
Update and Delete Statements

Osanda Malith Jayathissa

Table of Contents
Acknowledgements................................................................... 3
Introduction..................................................................... 4
Lab Setup ....................................................................... 4
Syntax for Injecting............................................................. 4
Injection using Updatexml()...................................................... 5
Insert......................................................................... 5
Update......................................................................... 5
Delete......................................................................... 5
Extraction of Data............................................................. 5
Injection Using extractvalue()................................................... 6
Insert......................................................................... 6
Update......................................................................... 7
Delete......................................................................... 7
Extraction of Data............................................................. 7
Injection Using name_const()..................................................... 7
Insert......................................................................... 8
Update......................................................................... 8
Delete......................................................................... 8
Extraction of Data............................................................. 8
Double Query Injection........................................................... 9
Insert......................................................................... 9
Update......................................................................... 9
Delete........................................................................ 10
Extracting Data............................................................... 10
Other Variations................................................................ 11
Conclusion...................................................................... 11
References...................................................................... 11
About the Author.................................................................. 12

2

Acknowledgements
Thanks to Ryan 'ethicalhack3r' Dewhurst for helping review.

Special Dedications: ajkaro: You showed me the correct path into the world of SQLi. I owe you so much for sharing your knowledge and experience with me. You was such a great friend. I miss you. Hood3dRob1n: For each script I write, it is because of you who always inspired me and motivated me.

3

Introduction
Most of the time when we talk about SQL injection we extract data by using the union keyword, error based, blind boolean and time based injection methods. All this comes under a place where the application is performing a SELECT statement on the back-end database. How to inject into places where the application is performing an INSERT,
UPDATE, DELETE statement? For example, INSERT statements are used in applications when it wants to store IP addresses, user agent strings, referrer URLs and other data within the database. While manipulating with user accounts when creating a new password, changing names, deleting accounts these statements are used. Not only just user input if we can fuzz around into whatever the application is taking as input and if they aren’t properly sanitized to filter we can go ahead and inject (Assuming that there are no WAFs or any blacklists). This paper is based on the MySQL error response. In the web application mysql_error() should be echoed back to us.

Lab Setup
Let’s create a database first by the name `newdb` and create one sample table to practice our injections. Stick to your localhost. Don’t go ahead and test against
live