티스토리 뷰
출처 : http://k3170makan.blogspot.kr/2012/01/injecting-insert-statements-mysql-error.html
Exploring my options
One night while banging injection payloads into a random page I suddenly found myself in an insert statement! This is when I got the idea to use insert statements for MySQL error based injection vectors.
Some people might be wondering why on earth would one would want to inject an insert? Would that even work?
The answer is YES! you can use INSERT statements to leak data via Error based injection much like people already do using SELECT statements
Why?
Companies with huge databases at their disposal like to keep track of things like the User-Agents,IPs,Time,etc when their pages are being requested
It extends your scope as an injection hacker!
Its the only way to maliciously inject INSERT statements to contribute to a system take over! this is because using error based injection, an insert statement can be used to leak data or even perform Remote File Inclusions
you could inject data into the web server using INSERTS for,say, maybe higher privileges on the web app, but that wouldn't reliably contribute to a system take over
Its easy!! If you've mastered Error Based injection for SELECT statements then you can pretty much use everything you've already learnt!
How?
Its pretty straight forward, this is basically what an insert statement looks like:
INSERT INTO table_name
(colunm_name,column_name,...,column_name)
VALUES (value,value,value,...,value)
the values are either literal values or values determined by other functions or select statements.
This is great news for an injection hacker because it means we can craft any select statement we want!
For instance, to make the INSERT statement halt and cause the database to display its version signature we can inject this select query...
(select 1 from(select count(*),concat(version(),
floor(rand(0)*2))x from information_schema.tables group by x)a)
which would appear in an INSERT statement as follows:
INSERT INTO table_name [...column_names...]
VALUES ( (select 1 from(select count(*),concat(version(),
floor(rand(0)*2))x from information_schema.tables group by x)a) , ... , ... )
Here I've shown the same example in my MySQL shell
What this means effectively is anywhere you can use a SELECT statement, an error based injection is possible
Any Error based injection payload can be used or augmented so that it will cause an error, you have lot more freedom injecting an INSERT because often you don't need to break out and rejoin any SELECT statements using UNION.
Some other things to note:
You are halting the INSERT statement because the SELECT must be executed first!
I suspect
UPDATE
DELETE statements are also injectable since they can also contain SELECT statements
Hope this gave you some ideas!!
'기억하자정보 > 보안' 카테고리의 다른 글
MySQL Injection Cheet Sheet (Including Load File and Outfile for Error Based) + WAF Bypassing Methods (0) | 2013.05.16 |
---|---|
SQL 인텍션 우회 패턴 (0) | 2013.03.18 |
해킹에 필요한 라이브 CD 모음 (0) | 2013.01.29 |
웹 해킹 관련 도구 (0) | 2013.01.26 |
Methods of Quick Exploitation of Blind SQL Injection (0) | 2013.01.19 |
- 안내
- 궁금한 점을 댓글로 남겨주시면 답변해 드립니다.