Posts

Showing posts with the label Javascript

Injecting Insert statements: MySQL error based injection

Image
One night while banging injection payloads into a random page I suddenly found myself in an insert statement! This is when I got the idea to use insert statements for MySQL error based injection vectors.
Some people might be wondering why on earth would one would want to inject an insert? Would that even work?
The answer is YES! you can use INSERT statements to leak data via Error based injection much like people already do using SELECT statements

Injecting javascript via MySQL error based injection

Image
I've written about this in a couple of other articles, but I needed it to be on my new blog because it makes a good attack especially when dealing with MySQL databases, because:

MySQL on *nix servers can be configured pretty well, making access to the database very difficult and therefore pwnage can be very difficult!!You have the ability to extend MySQL Error based injection into other attacks that may not be viable on the web application like:non-persistent XSSDefacement of the siteHTTP parameter pollutionDDos (more on this in another post!!) ---using this web application to make requests to other servers at the expense of the person visiting the page

Labels

Show more