Wednesday, July 18, 2012

SQLI-LABS SERIES PART 13

INJECTION IN UPDATE QUERY

In the earlier parts of the series we looked at the GET and POST based injections and dived into details on error based SQL Injections (string type, Integer type), Double Query injections error based, Blind injections (Boolean based and Time based) or use the outfile/dumpfile to . In this part we would look at the injections in the update Query. For this we would look at the Less-17.
A general update query looks like

UPDATE TABLE SET PARAMETER-1="some value" WHERE  PARAMETER-2="some value";






In the general case, a front end for a password update or profile update would have this query working in the backend. During a pentest be extra careful while handling these queries, because one wrong test can update the complete production database with wrong values.

CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned.


In the update statement injection, our objective is to extract info and not update the database, therefore we can use the the basics of

  • Double query injection
  • Blind injection
  • Dumpfile/outfile to extract the information.




Basic query injections:
Less-17 Line number 97
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";


No comments:

Post a Comment