Heya! It’s been a long while since I wrote something here so I’d though I’d dust of the blogger keyboard and get some posts going. To start off I will cover the MySQL Injection in INSERT and UPDATE statements.What injection points in an INSERT query can we extract data from? In the previous INSERT post we covered the VALUES() injection point (INSERT INTO tbl_name (column_name) VALUES ([here]), ([and here])) but there are other ways to forge an INSERT statement.
INSERT INTO tbl_name SET column_name = '[here]'
INSERT INTO tbl_name (column_name1, column_name2) SELECT 'hello', '[here]'
The problem with the first case is that we don’t know the column names and the second one, we don’t know the column count. Since we don’t know the column names, we cant insert another “SET column_name = value” into the first statementso we will have to figure out a way to get around this. And for the second, we also have to figure out something we can insert without screwing up the query.
So what can we do?
We can add to the string value that already exists! But, what can we do with just a string value? Well. All bitwise operations (NOT, OR, XOR, AND) work, and no need for spaces ! Let’s merge an injection to work with the first scenario.
'XOR(SLEEP(1))OR'
becomes:
INSERT INTO tbl_name SET column_name = ''XOR(SLEEP(1))OR'' [...]
It works, and it returns 0 from the XOR operation! Now let’s try put that into the second query.
INSERT INTO tbl_name (column_name1, column_name2) SELECT 'hello', ''XOR(SLEEP(1))OR''
It also works! Splendid. What about UPDATE and SELECT statemens? Yup, it’s the same with those.I have written a neat Proof of Concept to this that searches GET (Yes I know, who the hell would insertsomething from a GET variable? But whatever!) variables and common Headers (Including referer anduser-agent) for these kinds of injections and here is the sourcecode!
这里文章的原理就是利用sql语句执行的先后顺序,如红色标志的语句,数据库引擎先计算column_name=后的值,然后再将该值插到column_name里去。如图:
我这里是数字型,所以后面 xor()就不加 or 了,如果是字符型,就按国外黑客的那个语
句XOR(SLEEP(1))OR ,遇到 update 的时候也和 insert 方法一样。
所以,我们在遇到 insert 和 update 的时候通过该方法来注入。
这时,有人就要问了这样 update 和 insert 仅仅是修改数据库,我们怎么来做到注入呢。这 里就是重点了,大家应该知道 mysql 有一种报错注入的方法,像 mssql 一样,故意让语句出 错来显示错误信息从而暴露我们要想得到的数据。语句如下:
Method.1:
and exists(select * from ( select * from (select name_const(version(),0) )a join (select name_const(version(),0) )b )c )
Method.2:
and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT version()))a from information_schema.tables group by a)b)
利用 xor /or 配合报错语句,从而做到像 select 一样注入,哈哈,相当爽吧!~
数据库报错鸟,哈哈,我们的目地达到了。哟西。。。各位看官不要砸鸡蛋。。。
让update和insert像select一样注入
http://www.2cto.com/Article/201106/94974.html
http://wenku.baidu.com/link?url=JeMra-IrW3dsC3DaifMZMmlZ2PdDrwSsT8yAbg6QBIK3194ww1J4HsNkrGUqJYDQ5ajeVu7GgeQysPUO9FogX3bAcwpPmJbRqWtX8blhn5a