Injecting Insert statements: MySQL error based injection

Exploring my options

One night while banging injection payloads into a random page I suddenly found myself in an insert statement! This is when I got the idea to use insert statements for MySQL error based injection vectors.

Some people might be wondering why on earth would one would want to inject an insert? Would that even work?

The answer is YES! you can use INSERT statements to leak data via Error based injection much like people already do using SELECT statements
Why?
  •  Companies with huge databases at their disposal like to keep track of things like the User-Agents,IPs,Time,etc when their pages are being requested
  • It extends your scope as an injection hacker!
  • Its the only way to maliciously inject INSERT statements to contribute to a system take over! this is because using error based injection, an insert statement can be used to leak data or even perform Remote File Inclusions
    • you could inject data into the web server using INSERTS for,say, maybe higher privileges on the web app, but that wouldn't reliably contribute to a system take over 
  • Its easy!! If you've mastered Error Based injection for SELECT statements then you can pretty much use everything you've already learnt!
How?
 Its pretty straight forward, this is basically what an insert statement looks like:

INSERT INTO table_name
(colunm_name,column_name,...,column_name)
VALUES (value,value,value,...,value
the values are either literal values or values determined by other functions or select statements.
This is great news for an injection hacker because it means we can craft any select statement we want!
For instance, to make the INSERT statement halt and cause the database to display its version signature we can inject this select query...



  • (select 1 from(select count(*),concat(version(),

floor(rand(0)*2))x from information_schema.tables group by x)a)

which would appear in an INSERT statement as follows:

INSERT INTO table_name [...column_names...]
VALUES (  (select 1 from(select count(*),concat(version(),

floor(rand(0)*2))x from information_schema.tables group by x)a) , ... , ... )
 Here I've shown the same example in my MySQL shell



What this means effectively is anywhere you can use a SELECT statement, an error based injection is possible


Any Error based injection payload can be used or augmented so that it will cause an error, you have lot more freedom injecting an INSERT because often you don't need to break out and rejoin any SELECT statements using UNION.

Some other things to note:

  • You are halting the INSERT statement because the SELECT must be executed first!
  • I suspect
    • UPDATE
    • DELETE statements are also injectable since they can also contain SELECT statements

Hope this gave you some ideas!!

Comments